Arbit Data Diode AD-3852

2022-05-09 13:00(CET), Information about Arbit Data Diode pitcherrestapi vulnerabilities.

Arbit Data Diode - pitcherrestapi vulnerabilities

Arbit Data Diode pitcherrestapi package has several vulnerabilities in the vault_rest endpoint.
If a pitcher server is configured in way that allows an attacker to exploit the vulnerabilities in the vault_rest endpoint, the attacker could be able to achieve root access on the pitcher server.
However, this doesn’t affect the diode principle, as this is handled in hardware.

How to detect a vulnerable configuration

If one or more socalled ``vault service(s)´´ are configured on the pitcher server it may be vulnerable.

If the following command
cat /etc/pitcher/services | grep IsVault | wc -l
gives the result 0 then the configuration is not vulnerable, another result means the configuration is vulnerable.

Arbit Data Diode users with a vulnerable configuration are incouraged to update the pitcherrestapi package as soon as possible. Updates are available in the arbit repositories see below.
If an upgrade is not possible for some reason, see mitigation.

How to detect a vulnerable package versions

Distribution specific information and guides are listed below:

Ubuntu 16

Ubuntu 16 based Arbit Data Diode pitcher is not affected. Although pitcherrestapi is vulnerable on Ubuntu 16, pitcher-configrestapi is not available on Ubuntu 16.

Ubuntu 18

Ubuntu 18 based Arbit Data Diode pitcher is affected if pitcherrestapi ≤ 1.5.7 and pitcher-configrestapi ≤ 0.2.4 is installed

>dpkg-query -l | grep restapi
If affected an upgrade is required, see below.

CentOS 7/Red Hat 7

Centos 7/Red Hat 7 based Arbit Data Diode is affected if pitcherrestapi ≤ 1.5.8 and pitcher-configrestapi ≤ 0.2.7 is installed

>rpm -qa | grep restapi
If affected an upgrade is required, see below.

Red Hat 8

Red Hat 8 based Arbit Data Diode may be affected if pitcherrestapi ≤ 1.4.9 and pitcher-configrestapi ≤ 0.1.9 is installed

>rpm -qa | grep restapi
If affected an upgrade is required, see below.

Mitigation

Disable all vault services on the pitcher server, until an upgrade can be applied. If vault service can not be disabled, make sure that tomcat do not have write access to the webapps directory:
  • CentOS/Red Hat 7: sudo chown -Rv root:root /var/lib/tomcat/webapps
  • Red Hat 8: sudo chown -Rv root:root /var/lib/tomcat9/webapps
  • Ubuntu 18: sudo chown -Rv root:root /var/lib/tomcat9/webapps

Upgrades

CentOS/Red Hat 7

An upgrade for CentOS/Red Hat 7 that fixes the vulnerability is now available and can be applied by
sudo yum update
if you have set up access to Arbit software repository, See Arbit Data Diode for CentOS 7 for instructions. Note: you'll need your licens number and password to access the updates and instructions. You may also download pitcherrestapi.rpm directly and install:
sudo yum localinstall pitcherrestapi*.rpm

Red Hat 8

An upgrade for CentOS/Red Hat that fixes the vulnerability is now available and can be applied by
sudo yum update
if you have set up access to Arbit software repository, See Arbit Data Diode for RedHat 8 for instructions. Note: you'll need your licens number and password to access the updates and instructions. You may also download pitcherrestapi.rpm directly and install
sudo yum localinstall pitcherrestapi*.rpm

Ubuntu 18

An upgrade for Ubuntu 18 that fixes the vulnerability is now available and can be applied by
sudo apt update
sudo apt upgrade
if you have set up access to Arbit software repository, See Arbit Data Diode Ubuntu for instructions. Note: you'll need your licens number and password to access the updates and instructions. You may also download pitcherrestapi.deb directly and install
sudo dpkg -i pitcherrestapi*.deb

Ubuntu 16

The vulnerabilities in pitcherrestapi do not lead to root access.