Lucid rsnapshot package turns remote access on
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
rsnapshot (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Won't Fix
|
Medium
|
Unassigned | ||
Maverick |
Fix Released
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: rsnapshot
When installed on Ubuntu Lucid Desktop, rsnapshot pulls whole ssh metapackage which it doesn't need, therefore making machine exposed to dictionary attacks.
Rsnapshot is designed to pull snapshots from remote computers, it is NOT dependent on openssh-server and it's typical usage scenarios do NOT involve openssh-server usage on a client side.
In Maverick rsnapshot package doesn't introduce this vulnerability. (Since rsnapshot installation doesn't pull openssh-server on Maverick)
Default sshd_config which is automatically installed with openssh-server package allows passworded remote access(which is IMHO a strange default pocily for a desktop distribution, but that's another issue).
Steps to reproduce vulnerability:
1. Perform clean Ubuntu Lucid install.
2. #apt-get update
#apt-get upgrade
3. #apt-get install rsnapshot
4. Now your port 22 is open and you are able to access the machine from the outside, just use your username and password.
I've installed rsnapshot package on my Lucid Desktop few weeks ago to backup data from remote server. To my surprise I've discovered that port 22 is open and sshd daemon is running and accepting login attempts from external botnets. After reading logs I've traced this problem to this package. For me this is disturbing since I use this machine at home and typically don't turn password authentication off assuming that remote access to my machine is disabled.
Related branches
summary: |
- Lucid rsnapshot package turns on remote access + Lucid rsnapshot package turns remote access on |
description: | updated |
description: | updated |
description: | updated |
visibility: | private → public |
Changed in rsnapshot (Ubuntu Maverick): | |
status: | New → Fix Released |
Changed in rsnapshot (Ubuntu Natty): | |
status: | New → Fix Released |
Changed in rsnapshot (Ubuntu Lucid): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Fixed in 1.3.1-1 (https:/ /bugs.debian. org/422262).