The following assessment was done in answer to the question of how our Bootable CD system could be exploited to gain root access. It is based on a rapid assessment and testing process that took only about 4 hours for a group of reasonably skilled assessors with an additional 4 hours of help by an expert and includes the development team's decisions about mitigation. It is not to be taken as definitive, but rather as representative of reasonable expectations for the potential for privilege exploitation in our Bootable CD environment. Likelihood and impact values are indicated for 'secure mode' operation.

• audio/video viewing: An attacker could use audio or video devices attached to the system to remotely view keyboard entry or listen to people saying passwords that could grant root access. This would likely require root access in order to exploit and is highly unlikely in the current Bootable CD configuration. No additional mitigation was applied. Likelihood: LOW - Impact: LOW

• breaking key management systems: It is possible that there is an as yet unpublished vulnerability in ssh key management that could allow root access if root remote logins are used in circumstances that would permit such an exploit. The ssh service is not enabled by default, and key management is intended to provide for maximum interoperability. Additional constraints can be implemented by customizing /etc/ssh/sshd_config in order to restrict cryptosystem and key management use as well as to remove remote root access. No other mitigation has been applied. Likelihood: LOW - Impact: LOW

• bribes and extortion: An attacker could bribe or extort the Bootable CD developers or others in the supply chain to include an undisclosed vulnerability. The current development team consists of US government cleared personnel who have widespread reputations for integrity. Nevertheless, this is a possibility. Others in the environment could also be bribed to alter the system hardware, media, etc. If assured delivery is required for special applicaitons, cryptographic checksums are available to verify distribution content. No other mitigation has been applied. Likelihood: LOW - Impact: LOW

• call forwarding fakery: There might be some way to exploit Bootable CD if used in dial-up situations by forwarding calls to false telephone systems and applying man-in-the-middle attacks. This could then be used to exploit system interdependencies. By default, our Bootable CD does not have many such dependencies, however, configurations specific to specific applicaitons may cause deviations from this situation. No other mitigation has been applied. Likelihood: LOW - Impact: LOW

• content-based attacks: Malicious content, such as a malicious web page or downloadable software could provide temporary root access if loaded and used by a user logged in as root on the Bootable CD box. This is partially mitigated by the unmodifiable nature of CD-booted Bootable CD systems, thus making non Bootable CD-specific attacks unlikely to succeed. Configurations include javascript disabled by default in the Mozilla which mitigates this sort of attack to a limited extent. Other content-based attacks include exploits against libraries used by applications and similar mechanisms. The development team has made an effort to identify and eliminate all such configuration errors in default configurations. In addition, the 'WGsec' script mitigates many such attacks by limiting information flow across network interfaces, thus reducing the potential for abuse. No other mitigation has been applied. Likelihood: LOW - Impact: LOW

• covert channels: It has been shown possible to derive information about ssh passwords from keystroke timing. Other similar covert channels may exist in our Bootable CD to permit a root password to be more easily guessed based on observing covert information flows. By default external services are not enabled and thus only information about remote passwords will be revealed by these attacks, however, if ssh service is enabled for inbound connections, this attack will be possible. No additional mitigation has been applied. Likelihood: LOW - Impact: LOW

• cryptanalysis: The ssh cryptographic system might be exploitable at some time in the future to allow keys to be determined through cryptanalysis so as to gain access to a root password in transit or so as to bypass normal controls on remote access. This service is not enabled by default and no feasible attacks are currently published. No additional mitigation has been applied. Likelihood: LOW - Impact: LOW

• data diddling: It might be possible to exploit a race condition in a GCC compilation if user access is available so as to alter a temporary file during compilation and cause the root user to execute user attack code. No such example is currently known. If the floppy drive contains a floppy, is not write protected, and was not present at bootup, a non-root user might be able to access the floppy and create or alter a PLAC.go file or program called by PLAC.go so as to cause the execution a program by root at the next system reboot. No mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• dependency analysis and exploitation: Outside services such as DNS could be exploited in a networked environment to induce the Bootable CD system to go to a wrong site to perform activities, leading to possible man-in-the-middle attacks that could induce the downloading of a Trojan horse or other similar condition which could ultimately result in granting root access. Such an attack would likely have to be customized to our Bootable CD because of its largely read-only file structure. No mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• device access exploitation: The floppy disk could be subverted (as describe earlier) or a device with DMA access and accessible from a non-root account might be exploited to gain indirect access to processor memory. No known vulnerabilities of this type exist in our Bootable CD, however it is possible that with some devices not yet known to the developers such a vulnerability exists. No mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• emergency procedure exploitation: If an emergency can be used to induce the root user to leave the console unguarded during an emergency and physical access can be gained, root access could be attained. No mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• environment corruption: It is possible to create an environment in which the root user executes a Trojan horse. As an example, the root user could simply run a user program (or be induced to do so). In addition, '.' is at the end of the root path and several root path directories do not exist in all implementations. Testing indicates that no root path exploit based on directories in the root path operates because of file and directory protections and the read-only nature of large parts of the Bootable CD file system, however, if the root user mistypes a command and is in a user directory with an executable of the name as mistyped, it is possible to force the root user to execute Trojan horse code as specified by the user. This can be readily mitigated by setting the root path to a different value, however, the developers have chosen this option for convenience. The script 'WGsec' has been provided to mitigate this risk by removing the '.' from the root path and performing other enhanced security functions at the expense of ease of use. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• error insertion and analysis: It is possible that induced errors could cause information to be revealed that could be exploited through analysis and used to provide a root password or other root access. No mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• error-induced mis-operation: Programming errors might be exploitable to induce system misoperation granting root privileges. As an example, when running tcpdump, some binary characters can be displayed on the video screen. If the attacker can craft a packet capable of displaying a sequence of bytes that are interpreted by the VT100 emulator used in Xterm, they might be able to induce the terminal emulator to store and enter on behalf of root user a command that will grant root access to the attacker. This would have to be specifically crafted to grant access to root under our Bootable CD because of the requirement to enable services and modify only modifiable file system areas. No mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• errors and omissions: If the root user does not follow the directions in the tutorial or fails to take into account the factors identified in this document, the Bootable CD system may become susceptible to privilege escalation. Design errors and omissions in Linux, such as setUID programs have been largely eliminated in our Bootable CD distribution, however some may remain. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: LOW

• false updates: If the root user gets a copy of the Bootable CD distribution from other than a trusted channel it could contain Trojan horses that would grant root access. The trusted method of getting a copy of the Bootable CD distribution is via a credit card purchase from all.net over the Web. If higher assurance is required, an MD5 checksum of the content of the CD-ROM can be supplied or other speciall arangements made for integrity assurance in the transfer process. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: HIGH

• fictitious people: A fictitious person could try to provide false updates under color of authority. Similarly non-authoritative information about operation or configuration could be used to subvert protection. Only online information from all.net or content of a Bootable CD should be trusted as authoritative with respect to your distribution. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: LOW

• get a job: If someone untrustoworthy were to get a job on the Bootable CD development team, they could provide the means to subvert protection. All current developers hold US government clearances and team members are restricted and carefully screened. Applications implemented in Bootable CD do not have privileges and thus cannot provide additional privileges to the user unless they are run by root and contain Trojan horse code that functions in the Bootable CD environment. Reboots defeat any permanent access granted in this manner. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: MID

• hangup hooking: If dial-up is in use with Bootable CD, it is possible that improperly closed inbound dial-up sessions by root could lead to root compromise. We advise against dial-up access to root accounts unless additional precautions have been taken, such as the use of ssh as the only method for access. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• hardware failure - system flaw exploitation: Hardware failures in the write protection mechanism of floppy disks could be exploited to modify floppy contents if floppy versions of PLAC.go or other content it uses could be modified. This is not normally possible because of software protections, but poorly implemented PLAC.go files could combine with such a fault to produce root access. Other hardware failures have some chance of producing unanticipated machine states that could result in root access. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• illegal value insertion: If there are system call checks that fail to detect illegal values and those values would grant root access under Linux, they may be used to escalate privileges under our Bootable CD. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• imperfect daemon exploits: Our Bootable CD starts up with no vulnerable daemons running. Unless daemons are enabled, no remote access or vulnerability exists that we are aware of. Normal daemon startup in our Bootable CD as described in the tutorial provides mitigaiton against most risks associated with those daemons, however, the potential residual risks are reviewed here:

  • sendmail: Sendmail is provided primarily to permit outbound email. If run as an outbound only email forwarder, sendmail has no known vulnerabilities, however, there may be some program faults that are exploitable and are yet undiscovered. Privilege escalation is not available as demonstrated by most internal sendmail exploits because sendmail is not setUID, however, some local exploits may be possible if they do not take advantage of this and can operate through interprocess communication in sendmail's send-only mode. For inbound email, the preferred handler is ManAlMail which is designed for local incoming mail handling only and appears to have no known or suspected sources of vulnerability. The 'WGsec' script disables inbound sendmail access and includes firewalling against inbound connections to sendmail. Likelihood: LOW - Impact: LOW
  • openssh: The version and configuration of openssh provided in our Bootable CD has no known remote vulnerabilities. The only known potential explopits associated with the default configuration relate to allowing remote root access without a passowrd if the root user fails to set a root password before starting the ssh daemon. This can be mitigated by changing the setting in the configuration file or, per the instructions, setting a root password before allowing network access. It may also be advisable in some situations to prevent remote root access via ssh entirely by changing a configuration file, however, because of the inability to go from normal user to root user status in our Bootable CD, this is only useful in systems which are not to be remotely administered. The script 'WGsec' has been provided to disable remote root login and no-password logins via secure shell as well as some other risks identified in this assessment at the expense of ease of use. Likelihood: LOW - Impact: LOW
  • identd: Previous exploits in ident daemons have been found, however none are known in the version in use in the current Bootable CD distribution. If identd is enabled by the root user and if there is such an exploit it may induce a vulnerability. The 'WGsec' script provides firewall capabilities that inhibit identd from functioning and turns identd off if it is running. Likelihood: LOW - Impact: LOW
  • thttpd: The thttpd daemon has been mathematically shown to have no remote vulnerabilities. It is highly unlikely that any exploit attempt against it will be successful in gaining root access. Likelihood: LOW - Impact: LOW
  • pop3: Since pop3 uses the real password associated with a user, it is possible to try brute force guessing attacks against root's password if the pop3 daemon is running. These will appear rather obviously in logs, however, the attack will function. Once the password is gained, local root access can be gained by logging in as root on the console and remote root access can only be gained if sshd has been enabled and configurations have not been altered to prevent remote root access by secure shelling in as root. There may be other vulnerabilities in the pop3 daemon but there are none we are currently aware of. The 'WGsec' script disables pop3 service on the Bootable CD host and firewalls against it as redundant protection. Likelihood: LOW - Impact: LOW
  • ntop remote root: If the 'ntop' program is run as root, there is a known remote root access attack against it. This has not been tested at this time. The 'WGsec' script mitigates this risk by automatically killing processes containing this name every 30 seconds and eliminating remote access. Likelihood: LOW - Impact: LOW
  • loadable modules: It is possible that faults in loadable modules may be used to induce root access. Similarly, hardware insertion using PCMCIA cards or similar physical attacks might induce the loading of those modules automatically if PCMCIA card automatic recognition is enabled or if those cards are present at bootup and found by the hardware detection routines. Loadable modules are only loadable by root, so the root user will have to be convinced to load those modules in order for these attacks to be feasible. Likelihood: LOW - Impact: LOW
  • Sniffers like Ethereal and TCPdump: Many sniffers have programming errors that could result in buffer overflows. If these are used, it is possible that a remote root exploit could succeed when these programs are run. The 'WGsec' script mitigates this risk by reducing the consequenes associated with this activity unless it is specifically targeted to a Bootable CD system. Likelihood: LOW - Impact: LOW
  • remote exploit yields local access: There may be other remote exploits we are unaware of. These are largely mitigated by the 'WGsec' script. Likelihood: LOW - Impact: LOW

  No additional mitigation has been applied other than this notice and the 'WGsec' script.

• inappropriate defaults: Our Bootable CD is configured with sshd remote access without password enabled. This was determined to be desirable for many cases when LAN-based exchanges were necessary. If directions are followed, passwords will set before sshd is started except in cases where physical protection is used to limit LAN access. Similarly, there is a '.' at the end of the path for root. This is provided for convenience of access, however, can lead to root compromise if root runs programs from within user directories. If desired, the root user may remove this vulnerability by resetting the path in the PLAC.go file. The script 'WGsec' has been provided to mitigate this vulnerability as well as others identified in this assessment, at the expense of ease of use. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• infrastructure interference: By interfering in infrastructures, it might be possible to get a root password if the root user is using insecure services to get email or to perform similar tasks using the same password as is used for root on the Bootable CD system. Infrastructure interference could also be used to invoke a man-in-the-middle attack as described above. Insecure services have been minimized in our Bootable CD so as to reduce their use, however, by poor choices, root users can still support such compromises. The 'WGsec' script firewalls against almost all such attacks. The Bootable CD default selection of DNS servers is also intended to favor those with higher trust levels. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• infrastructure observation: The pop3 service provides the potential for infrastructure observation that could contain root passwords that might be gleaned in this manner. Prudence in the use of these services is urged. The 'WGsec' script firewalls against pop3 usage. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• input overflow: See imperfect daemons above. Internal input overflows that might otherwise grant root access do not grant this access under our Bootable CD because none of those programs are setUID on the Bootable CD. Input overflows to potentially vulnerable daemons that are run as root may be invoked under some circumstances to gain access and escalate privilege, but testing has not revealed any that currently operate against Bootable CD systems. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• insertion in transit: A Trojan Horse could be inserted in transit, thus affecting a root user who is remotely accessing data. Similarly, a forged external DNS response could lead to Trojan or man in middle attack through an improperly trusted remote system. These can only be invoked of the attacker has the ability to gain the root password and gain physical or ssh access to the Bootable CD system and if additional configuration changes have not been made to prevent such attack. In order to gain feedback, such an attack would require return paths which are largely reduced via the 'WGsec' script's firewall. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: MID

• interrupt sequence mishandling: It is possible that interrupt sequence mishandling could induce an escalation of privilege, however, we are aware of none and do not know of any exploits that would tend to indicate a likelihood that one will be found in the foreseeable future. No mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• invalid values on calls: It is possible that invalid values on Linux operating system calls could induce an escalation of privilege, however, we are aware of none and do not know of any exploits that would tend to indicate a likelihood that one will be found in the foreseeable future. No mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• man-in-the-middle: As described above. Likelihood: MID - Impact: MID

• modification in transit: As described above, the same effects can be seen as in infrastructure interference. Likelihood: MID - Impact: MID

• multiple error inducement: Most of the attacks described herein involve multiple error inducement. Other multiple error induced faults are likely to exist and may be exploited, but we are not aware of any at this time. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• network service and protocol attacks: The only known attacks are those indicated under imperfect daemons described above. Our Bootable CD mitigates this risk to a large extent by not automatically starting any network services, by providing special secure servers where possible, and by controlling less secure services by configuration management. Most protocols are disabled by default so that UDP viruses and similar attacks are not in effect. Additional protection can be attained by applying firewall technology available on the Bootable CD system and by additional configuration changes suited to the specific needs of the user. The script 'WGsec' includes firewall mitigation of many of these vulnerabilities. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• observation in transit: As described above, insecure protocols can be observed and exploited to gain information that might be useful in a privilege escalation. This sort of attack only applies if those same passwords are used in an enabled service that permits remote access, such as ssh. Internal escalation from user accounts is not aided by this information. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: LOW

• password guessing: Password guessing is possible, however, the password file is not readable except by root, so only brute force techniques or those exploiting weak protocols or enabled services can operate. By default, remote access is not available, so only manual guessing or physically enhanced guessing through added hardware at the console can be used to exploit this unless remote services are enabled. Default password guess counts for sshd are set reasonably low to prevent unfettered guessing and additional firewall rules can be used to further mitigate this problem if particular systems are attempting such guesses. Audit trails also provide notice of such attempts and weak passwords are notified by the password changing program. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: MID

• perception management a.k.a. human engineering: It is feasible for an attacker to gain root access by deceptions oriented against those with root access. A Bootable CD system provides no support to mitigate against this risk other than the requirement for authorized users with root access to enable services in order to provide access and the default settings for system services. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: LOW

• piggybacking: By piggybacking on a web site or other remote service, a Trojan horse could be introduced into the data stream, thus inducing the web browser to act on root's behalf to grant otherwise unauthorized access to the system. Similar possibilities exist for other services. Configurations for web browsers are defaulted to prevent javascript and known vulnerbialities, however, vulnerabilities no doubt remain in these applicaitons. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• * protection missetting exploitation: As above, some of the settings are designed to afford increased utility over protection. Setting should be changed and instructions followed if different behavior is desired. No Bootable CD files are setUID and most files and directories are configured so as to prevent examination or modification as appropriate. All settings within the most commonly exploited areas are also protected by the fact that they are implemented read-only on an ISO9660 loopback filesystem. This makes changing protections difficult if not impossible without root access. In installations with writeable user file systems some of the added layers of protection is not in effect. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• race conditions: It is possible that there are compiler race conditions that would induce Bootable CD systems in which root users are doing compilations to grant privilege escalation to a local user who is able to exploit a race condition to alter the partially compiled code produced by the compiler befome final compilation or loading and get the root user to run the resulting program. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• replay attacks: The replay of a plaintext password could be used to regain root access, however, no remote root access is available except via ssh which prevents replay attacks, and only then if enabled by the root user. Recorded keystrokes using a phyical tapping device would afford a successful replay attack. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• shoulder surfing: If the root user allows others to observe the entry of a password and if physical access or remote access with sshd enabled is permitted to the system, the root login password can be exploited for root access. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: MID

• spoofing and masquerading: If the root user can be convinced to act imprudently by a spoofing or masquerading process, privilege can be gained and escalated. Similarly, complex interdependencies with other systems, such as those described above, might be exploited to grant root access. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• strategic or tactical deceptions: As above, deceptions against authorized users or systems configured to allow root privileges can potentially provide these privileges. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: LOW

• system maintenance: Systems maintenance personnel with physical access can gain access to system content and alter system function. In addition, they could leave a sniffing device which would gain them root user information and might allow subsequent access assuming services to support such access are made available by the root user. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• Trojan horses: Trojan horses, as indicated above, could be used to gain root access if executed by the root user and if properly designed to function in the Bootable CD environment. Configurations for web browsers are defaulted to prevent javascript and known vulnerbialities, however, vulnerabilities no doubt remain in these applicaitons. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: LOW

• undocumented or unknown function exploitation: It is possible that there are undocumented functions associated with services available under our Bootable CD, however, none have been intentionally introduced by the Bootable CD distribution team in the Bootable CD distribution made available to the public. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• viruses: If the root user executes a virus which is designed to operate in our Bootable CD environment, that virus will have root access during its execution, however, infection will be substantially limited by the read-only nature of much of the Bootable CD environment and by the loss of unsaved viral content across reboots. No additional mitigation has been applied other than this notice. Likelihood: LOW - Impact: LOW

• wire closet attacks: Physical infrastructure attack could be used to facilitate other attacks described above. No additional mitigation has been applied other than this notice. Likelihood: MID - Impact: LOW

These are the only known classes of vulnerabilities that would grant root access to our Bootable CD system implemented following the tutorial and other instructions provided. Additional vulnerability and mitigation information will be provided in updates to this document available on our Bootable CD distributions and on our web site. The web site will reflect the most recent assessment while the individual CD will reflect the assessment as of the time of its release.