Arbit Data Diode AD-3852
2022-05-09 13:00(CET), Information about Arbit Data Diode pitcherrestapi vulnerabilities.
Arbit Data Diode - pitcherrestapi vulnerabilities
Arbit Data Diodepitcherrestapi
package has several vulnerabilities in the vault_rest
endpoint.If a pitcher server is configured in way that allows an attacker to exploit the vulnerabilities in the
vault_rest
endpoint,
the attacker could be able to achieve root access on the pitcher
server.However, this doesn’t affect the diode principle, as this is handled in hardware.
How to detect a vulnerable configuration
If one or more socalled ``vault service(s)´´ are configured on thepitcher
server it may be vulnerable.
If the following command
cat /etc/pitcher/services | grep IsVault | wc -l
gives the result 0 then the configuration is not vulnerable,
another result means the configuration is vulnerable.
Arbit Data Diode users with a vulnerable configuration are incouraged to update the pitcherrestapi
package
as soon as possible. Updates are available in the arbit repositories see below.
If an upgrade is not possible for some reason, see mitigation.
How to detect a vulnerable package versions
Distribution specific information and guides are listed below:Ubuntu 16
Ubuntu 16 based Arbit Data Diodepitcher
is not affected. Although pitcherrestapi is vulnerable on Ubuntu 16, pitcher-configrestapi is not available on Ubuntu 16.
Ubuntu 18
Ubuntu 18 based Arbit Data Diodepitcher
is affected if
pitcherrestapi ≤ 1.5.7 and pitcher-configrestapi ≤ 0.2.4 is installed
>dpkg-query -l | grep restapi
If affected an upgrade is required, see below.
CentOS 7/Red Hat 7
Centos 7/Red Hat 7 based Arbit Data Diode is affected if pitcherrestapi ≤ 1.5.8 and pitcher-configrestapi ≤ 0.2.7 is installed>rpm -qa | grep restapi
If affected an upgrade is required, see below.
Red Hat 8
Red Hat 8 based Arbit Data Diode may be affected if pitcherrestapi ≤ 1.4.9 and pitcher-configrestapi ≤ 0.1.9 is installed>rpm -qa | grep restapi
If affected an upgrade is required, see below.
Mitigation
Disable all vault services on the pitcher server, until an upgrade can be applied. If vault service can not be disabled, make sure that tomcat do not have write access to the webapps directory:- CentOS/Red Hat 7:
sudo chown -Rv root:root /var/lib/tomcat/webapps
- Red Hat 8:
sudo chown -Rv root:root /var/lib/tomcat9/webapps
- Ubuntu 18:
sudo chown -Rv root:root /var/lib/tomcat9/webapps
Upgrades
CentOS/Red Hat 7
An upgrade for CentOS/Red Hat 7 that fixes the vulnerability is now available and can be applied bysudo yum update
if you have set up access to Arbit software repository, See Arbit Data Diode for CentOS 7 for instructions. Note: you'll need your licens number and password to access the updates and instructions. You may also download pitcherrestapi.rpm directly and install:
sudo yum localinstall pitcherrestapi*.rpm
Red Hat 8
An upgrade for CentOS/Red Hat that fixes the vulnerability is now available and can be applied bysudo yum update
if you have set up access to Arbit software repository, See Arbit Data Diode for RedHat 8 for instructions. Note: you'll need your licens number and password to access the updates and instructions. You may also download pitcherrestapi.rpm directly and install
sudo yum localinstall pitcherrestapi*.rpm
Ubuntu 18
An upgrade for Ubuntu 18 that fixes the vulnerability is now available and can be applied bysudo apt update
sudo apt upgrade
if you have set up access to Arbit software repository, See Arbit Data Diode Ubuntu for instructions. Note: you'll need your licens number and password to access the updates and instructions. You may also download pitcherrestapi.deb directly and install
sudo dpkg -i pitcherrestapi*.deb
Ubuntu 16
The vulnerabilities inpitcherrestapi
do not lead to root access.