ed_wilts
2 Iron

InsightIQ security (or lack thereof)

InsightIQ has an interesting security model.

Any user that can authenticate to the host it's residing on will automatically have administrative rights to InsightIQ.  Yes, that's right - if your host is in LDAP, all of your users suddenly have administrative rights.  They can add and delete users, turn off monitoring, wipe out your FSA data, etc.  The user doesn't even need a home directory. If you've installed IIQ on another system that has local users, those users also have administrative rights to InsightIQ.

EMC says that this is working as designed.  Does everybody else agree that the default should be to allow administrative access to the world?  I could understand if they were read-only, but to default to administrative access is just plain wrong.

Tags (2)
0 Kudos
9 Replies
Peter_Sero
4 Beryllium

Re: InsightIQ security (or lack thereof)

Make sure that users connect only through the InsightIQ WebGUI,

which is controlled by the InsightIQ user management (admin plus read-only users).

If your host has network (LDAP etc) users, block all but the admins in the sshd settings.

-- Peter

0 Kudos
ed_wilts
2 Iron

Re: InsightIQ security (or lack thereof)

This has nothing to do with ssh. 

There's nothing special about the administrator account - it's just a local account that has credentials.  I can't even ssh into the system with it because it doesn't have a home directory.

The InsightIQ user authentication is pretty simple:

1.  If the user has been added as a read only user, grant read access

2.  If the user has not been added, search pam and find any credential that works (local passwd, ldap).  If the user is found, grant administrator acces.

The developers got this backwards.  It should be:

1.  If the user has been added as an administrator, grant administrator access

2.  If the user not been added as an admin, see if the user has been added for read-only

3.  If neither is true, deny access.

Let's not forget that currently ANY user in LDAP has the ability to see every file name in every directory on the cluster via the FSA data.  That's a significant data leak if somebody has a file named something like "emc bankruptcy filing.docx"

0 Kudos
Peter_Sero
4 Beryllium

Re: InsightIQ security (or lack thereof)

OK, if that happens on the WebGUI (which IIQ version?), something is indeed going horribly wrong

This is neither intended nor documented behavior and should be recognized as a serious bug.

-- Peter

0 Kudos
Highlighted
MRWA
2 Iron

Re: InsightIQ security (or lack thereof)

Hello ed.wilts,

First of all thank you for bringing this up. I have communicated this internally and it has been reproduced and a bug is being filed. I just wanted to let you know we take this very seriously.

If you have a case number where you had previously brought this up, I would ask you PM it to me.

Thank you,

-Michael.

ed_wilts
2 Iron

Re: InsightIQ security (or lack thereof)

Michael,

The system doesn't appear to let me email you privately.  The case number is 58910822.

0 Kudos
ed_wilts
2 Iron

Re: InsightIQ security (or lack thereof)

OK, if that happens on the WebGUI (which IIQ version?), something is indeed going horribly wrong

This is neither intended nor documented behavior and should be recognized as a serious bug.

This is version 2.5.2 which is the current version as of today although I expect that 3.0 is imminent.  The support analyst has asked for a ton of information (including the configuration pickle files which hold unencrypted passwords to our arrays).  MRWA says it's been duplicated though but it would be nice if the support person can tell me that instead of asking me to collect a ton of info for him.  Oddly enough, he even wants logs from the NFS server...

This problem is trivial to duplicate.  Instead a Linux distro.  Install InsightIQ.  Add any local user to the Linux distro.  This user instantly has administrator access to IIQ.

0 Kudos
ed_wilts
2 Iron

Re: InsightIQ security (or lack thereof)

I see that InsightIQ 3.0 dropped today.  I also see that these are now documented bugs that are still not fixed.

If you install InsightIQ on a Linux machine, all local users on the Linux machine are

granted administrative access to InsightIQ.

Workaround: Install InsightIQ only on a dedicated Linux machine

This workaround doesn't really work.  My Linux machine is dedicated but authentication is via LDAP.  This still means that even in the current release, ALL users in LDAP are still granted administrative access.

I just wanted to let you know we take this very seriously.

When IIQ can be remotely exploited by an unauthorized user, and this remains unfixed even in the next major release 2 months after being reported, I believe your definition of "seriously" and mine differ.  All EMC is done for everybody is document it as a known bug.

There are 5 documented fixes in this release.  There are 20 known bugs.

Not documented as fixed or a known bug is that if the iiq instance loses connectivity with a monitored cluster, the database has a high likelihood of being silently corrupted.  This issue has been duplicated by EMC and has been known since September (and my original case on this dates back to mid August).

peglarr
2 Iron

Re: InsightIQ security (or lack thereof)

Ed, in IIQ 3.0, if you use LDAP credentials, any user so authenticated will get read-only privileges, not administrative (read-write) access.  If you are seeing the latter, that's a bug.  You can also specify a custom SSL certificate for clients trying to connect to the IIQ web address.

0 Kudos
blutgens
1 Copper

Re: InsightIQ security (or lack thereof)

Can confirm, any user that has a valid username/password on the host (in my case centos 6.6) has admin privs in InsightIQ. In my case it's no big deal since I just won't create non-engineer accounts on this particular box. But the authentication/authorization on InsightIQ webUI is very ill conceived.

0 Kudos