Enomaly ECP/Enomalism: Silent update remote command execution vulnerability Synopsis All versions of Enomaly ECP/Enomalism have an insecure silent update mechanism that could allow a remote attacker to execute arbitrary code as root. Background Enomaly ECP (formerly Enomalism) is management software for virtual machines. Description Sam Johnston (http://samj.net/) of Australian Online Solutions (http://www.aos.net.au) reported that the main Enomaly ECP daemon (enomalism2d) includes an undocumented silent update mechanism that insecurely downloads and executes code from Enomaly's corporate web server. Enomaly ECP silently attempts to receive and forcibly install unsigned python modules over HTTP from http://enomaly.com/fileadmin/eggs/ (currently exception drivemounter, and phone_home) when encountering any error loading any module. This allows for remote, privileged exploitation without any user intervention. Impact Combined with the ability to intercept requests to Enomaly's corporate web server by other means such as ARP or DNS spoofing, or compromise the server itself or any intermediary server, it is possible to execute arbitrary commands as the root user on any server requesting an update. An attacker may also be able to trigger the update mechanism by inducing any condition where modules fail to load, e.g. exhausting memory by making many web requests. Workaround Resolve enomaly.com to 127.0.0.1 in affected servers' hosts files. Resolution There is no resolution at this time as the feature cannot be disabled. Vendor claims that the vulnerability is by design and has no plans to release a fix. History 2009-02-09 Bug initially reported to Enomaly by mail 2009-02-09 CVE requested from Mitre; TBA 2009-02-10 Product Development Manager acknowledged receipt: "This is by design, it's a method to allow modules to be downloaded and installed as needed. It's a recovery mechanism for borked installs (which happen quite frequently with easy_install). None of this stuff is exploitable or malicious under any normal circumstances." 2009-02-12 Publication of vulnerability
