Enomaly ECP: Multiple vulnerabilities in VMcasting protocol & implementation.

Synopsis

Enomaly ECP up to and including v3.0.4 is believed to contain an insecure
silent update mechanism that could allow a remote attacker to execute
arbitrary code as root, and to inject or modify VM workloads for execution
within user environment or to replay older, insecure workloads.

Both the Enomaly ECP implementation and the VMcasting protocol itself are
believed to be vulnerable.

Background

Enomaly ECP is management software for virtual machines in cloud computing 
environments.

Description

Sam Johnston (http://samj.net/) of Australian Online Solutions
(http://www.aos.net.au) reported that the vmfeed module, an insecure
implementation of the insecure VMcasting protocol (http://www.vmcasting.org/)
includes a silent update mechanism that downloads and executes Python code
from Enomaly's corporate web server (http://enomaly.com/fileadmin/eggs/)
over HTTP, without authentication or integrity checks. The code is triggered
when the "application/python-egg" MIME type is encountered.

The module also contains functionality for downloading workloads (virtual
machines) from a feed which is itself retrieved over HTTP. While the VMcasting
protocol (http://www.vmcasting.org/) describes a mechanism for digitally
signing payloads, the mechanism is not implemented and there is no requirement
to transfer feeds securely (e.g. over HTTPS). The implementation itself
actively rejects URLs that do not start with "http" or "ftp" with an error.

The module has the following feeds hardcoded:
 - Enomalism VMCasting Test Feed [http://enomalism.com/vmcast_appliances.php]
 - VMCasting Production Module Feed [http://enomalism.com/vmcast_modules.php]

Impact

Combined with the ability to intercept requests to Enomaly's corporate web
server by other means such as ARP or DNS spoofing, or compromise the server
itself or any intermediary server, it may be possible to execute arbitrary
commands as the root user on any server requesting the feeds. It may also be
possible for an attacker to run workloads of their choice, to modify existing
workloads and to replay old, known-insecure workloads (even if signed).

Workaround

Resolve enomalism.com and enomaly.com to 127.0.0.1 in affected servers' hosts
files or migrate to OpenECP which includes fixes for the vulnerabilities.

Resolution

There is no resolution at this time as the feature cannot be disabled. Vendor
did not confirm whether subsequent/future releases [will] address the problem.

History

2009-11-02 Open source distributions for Enomaly ECP removed from Internet.
2010-01-06 Email request for open source code Enomaly ECP code denied by CEO.
2010-02-03 Public discussion of vulnerability, verified in current source.
2010-02-03 Strategic Advisor & Board Member claims "Many of the items have
been addressed in [Service Provider Edition and soon to be released High
Assurance] editions. We will review your comments above for future inclusion
into our product road map". Fails to identify which issues remain.
2010-02-09 OpenECP forked from Enomaly ECP, resolves vulnerabilities.
2010-02-09 Chief Technologist claims "ECP 3.0 is a significantly different
product than 2.0 servicing different market needs. [...] Technically ECP2.0
was Enomalism 2.0, not the Elastic Computing platform."
2010-02-10 Changelogs showing common lineage are removed from Internet.
2010-02-?? http://src.enomaly.com is restored claiming "Our current platform,
Enomaly ECP Service Provider Edition, is a completely different product."
2010-02-16 Vulnerability report released unverified.