security problems due to outdated software

[phil]

I wonder why open-e spends so much time in improving features like iscsi and on the other hand major security concers are not fixed.

For example I see the following problems:

important outdated samba (Samba 3.0.26a fixed a bunch of security problems...)

important outdated clamav

Code:

WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 10, recommended = 21

minor outdated php (5.2 instead of 5.2.4)

Even if you place the storage system in a cooperate network a system should be secure against exploits (in case of samba) and new new viruses should be found by the virus scanner.

[netsyphon]

hehe, i was there about 3 months ago.


here are some ramblings...

I think they are looking into giving a service manager, where you can disable certain services.

Vulns in PHP are only really exposed via the apps that apache serves.
In fact, most security vulnerabilities are based on either default or specialized configurations.. So just because a new samba comes out that has some "security" fixes in it does NOT mean that you were vulnerable all along.

If this DSS is installed on a LAN for employee use then I don't know how many of your employees try low-level exploits on your file servers. in my company if we caught an employee doing that, he would probably get to visit the crossbar motel.

Look at the versions of samba running on Solaris or OSX compared to the latest version on samba.org. no one runs the same version as the source. again, it all comes down to how its implemented that defines whether there is a vuln or not.

/rant

however, if you happen to prove to me that you can exploit anything in Open-E (even my russian hacker friends thought it was pretty well configured) please send an email right away to support and send me your resume

[To-M]

Netsyphon very well stated!

I would like to add just because there is a new release does not mean we will immediately provide an update to please all. Allot of research is done before updates are released or issues can happen and not all environments are the same. Currently we are using smbd version 3.0.25b, so give us time to update this to the latest and yes we are working on iSCSI now, the reason is for Auto Failover (supply and demand business principles - so all gain). Then later we will focus on the NAS then other areas..... Ok enough said - did you update the clamav update?

I love the comment "please send an email right away to support and send me your resume "

[phil]

clamav signature updates do not help in all situations. Even if you have the most current signature, your clamav core has to be prepared for that too. If you carefully read the error message, you will understand that

[kamaljain]

Todd,

I realize this thread is somewhat stale now, but as we're running into security scan issues now it seems appropriate. Besides...you sent me in this direction!

With regard to netsyphon's comment about not being able to actually hack the system, that's largely irrelevant when your customer runs a standard Nessus scan against a DSS box that's as locked-down as you can make it through the UI and/or console and there are over half a dozen each of medium and high level warnings.

You guys really need a way to completely disable/turn-off unnecessary and undesired services, like SMB (in our case). And LDAP? Don't need it, either.

Having a super-old version of Apache and PHP, and having Apache apparently (according to Nessus) be in a mode where it accepts web server debug instructions -- is no good.

We're looking forward to seeing the next release a lot tighter.

Thanks,
- K

[To-M]

Thanks for checking on this. "netsyphon" is very respected here in the industry and he would fully agree with you as well . We will update the PHP on the next DSS release and the other issues we will need additional time to make it happen. Thanks for stopping by.

[kamaljain]

We will update the PHP on the next DSS release and the other issues we will need additional time to make it happen.

Great. I trust Apache will also be updated and locked-down to not allow tracing in the same release with newer PHP.

Thanks!
- K