Enomaly ECP: Multiple vulnerabilities in VMcasting protocol & implementation. Synopsis Enomaly ECP up to and including v3.0.4 is believed to contain an insecure silent update mechanism that could allow a remote attacker to execute arbitrary code as root, and to inject or modify VM workloads for execution within user environment or to replay older, insecure workloads. Both the Enomaly ECP implementation and the VMcasting protocol itself are believed to be vulnerable. Background Enomaly ECP is management software for virtual machines in cloud computing environments. Description Sam Johnston (http://samj.net/) of Australian Online Solutions (http://www.aos.net.au) reported that the vmfeed module, an insecure implementation of the insecure VMcasting protocol (http://www.vmcasting.org/) includes a silent update mechanism that downloads and executes Python code from Enomaly's corporate web server (http://enomaly.com/fileadmin/eggs/) over HTTP, without authentication or integrity checks. The code is triggered when the "application/python-egg" MIME type is encountered. The module also contains functionality for downloading workloads (virtual machines) from a feed which is itself retrieved over HTTP. While the VMcasting protocol (http://www.vmcasting.org/) describes a mechanism for digitally signing payloads, the mechanism is not implemented and there is no requirement to transfer feeds securely (e.g. over HTTPS). The implementation itself actively rejects URLs that do not start with "http" or "ftp" with an error. The module has the following feeds hardcoded: - Enomalism VMCasting Test Feed [http://enomalism.com/vmcast_appliances.php] - VMCasting Production Module Feed [http://enomalism.com/vmcast_modules.php] Impact Combined with the ability to intercept requests to Enomaly's corporate web server by other means such as ARP or DNS spoofing, or compromise the server itself or any intermediary server, it may be possible to execute arbitrary commands as the root user on any server requesting the feeds. It may also be possible for an attacker to run workloads of their choice, to modify existing workloads and to replay old, known-insecure workloads (even if signed). Workaround Resolve enomalism.com and enomaly.com to 127.0.0.1 in affected servers' hosts files or migrate to OpenECP which includes fixes for the vulnerabilities. Resolution There is no resolution at this time as the feature cannot be disabled. Vendor did not confirm whether subsequent/future releases [will] address the problem. History 2009-11-02 Open source distributions for Enomaly ECP removed from Internet. 2010-01-06 Email request for open source code Enomaly ECP code denied by CEO. 2010-02-03 Public discussion of vulnerability, verified in current source. 2010-02-03 Strategic Advisor & Board Member claims "Many of the items have been addressed in [Service Provider Edition and soon to be released High Assurance] editions. We will review your comments above for future inclusion into our product road map". Fails to identify which issues remain. 2010-02-09 OpenECP forked from Enomaly ECP, resolves vulnerabilities. 2010-02-09 Chief Technologist claims "ECP 3.0 is a significantly different product than 2.0 servicing different market needs. [...] Technically ECP2.0 was Enomalism 2.0, not the Elastic Computing platform." 2010-02-10 Changelogs showing common lineage are removed from Internet. 2010-02-?? http://src.enomaly.com is restored claiming "Our current platform, Enomaly ECP Service Provider Edition, is a completely different product." 2010-02-16 Vulnerability report released unverified.