Enomaly ECP/Enomalism: Silent update remote command execution vulnerability
All versions of Enomaly ECP/Enomalism have an insecure silent update mechanism
that could allow a remote attacker to execute arbitrary code as root.
Enomaly ECP (formerly Enomalism) is management software for virtual machines.
Sam Johnston (http://samj.net/) of Australian Online Solutions
(http://www.aos.net.au) reported that the main Enomaly ECP daemon (enomalism2d)
includes an undocumented silent update mechanism that insecurely downloads and
executes code from Enomaly's corporate web server.
Enomaly ECP silently attempts to receive and forcibly install unsigned python
modules over HTTP from http://enomaly.com/fileadmin/eggs/ (currently exception
drivemounter, and phone_home) when encountering any error loading any module.
This allows for remote, privileged exploitation without any user intervention.
Combined with the ability to intercept requests to Enomaly's corporate web
server by other means such as ARP or DNS spoofing, or compromise the server
itself or any intermediary server, it is possible to execute arbitrary
commands as the root user on any server requesting an update. An attacker may
also be able to trigger the update mechanism by inducing any condition where
modules fail to load, e.g. exhausting memory by making many web requests.
Resolve enomaly.com to 127.0.0.1 in affected servers' hosts files.
There is no resolution at this time as the feature cannot be disabled. Vendor
claims that the vulnerability is by design and has no plans to release a fix.
2009-02-09 Bug initially reported to Enomaly by mail
2009-02-09 CVE requested from Mitre; TBA
2009-02-10 Product Development Manager acknowledged receipt:
"This is by design, it's a method to allow modules to be downloaded and
installed as needed. It's a recovery mechanism for borked installs (which
happen quite frequently with easy_install). None of this stuff is exploitable
or malicious under any normal circumstances."
2009-02-12 Publication of vulnerability