AMD Raid Xpert2 (Raid config tool) raise some security concerns

[muddymind]

Source: Infosec on the Threadripper NVMe Drivers, a Level1 Diagnostic

 

Apparently the AMD Raid Xpert2 will install XAMP with some oversights when it comes to security.

 

In a nutshell these are the important points:

• The apache webserver used to manage the drivers configuration not only binds to loopback addresses (127.0.0.1 or localhost) but also to your network adapter ip. This means you can access the apache server remotely.
• The apache server runs with elevated privileges.
• The apache server is not configured to block access to locations outside the manager application folder. This means you can have access to any file/folder and with elevated privileges well... you can pretty much execute anything you want remotely.
• [Less important] the php version is a bit dated and have a few known security issues.

With all these combined it means you pretty much have your entire machine completely open after installing the drivers.

 

Wendel points out that we can always disable the apache service or change directory permissions on apache despite this being clearly a sloppy work from AMD.

 

Although this should not pose any major risk for more pro people (since they can quickly fix the security issues), It really can be an issue with less tech-savvy enthusiasts or people that don't put a lot of attention in these kind of details.

Edited October 19, 2017 by muddymind
Updated the thread title and 1st post content to reflect that Raid Xpert2 is the issue and not the threadripper NVMe drivers themselves. Kudos for @Legendarypoet for pointing that out.

[Guest]

It's the RAID Utility and not just NVMe drivers. Raid Xpert2 is used in more than just Threadripper.

[muddymind]

You're right. I stand corrected

[raphidy]

In finewine we trust. They'll patch it up. It's great that Wendell put the time in this.

[Drak3]

Wasn't there enough reason to not use NVMe RAID?

 

Things like, y'know:

Expense

No real world benefit

Better ways of conducting ePeen contests

Expense

[sazrocks]

8 minutes ago, Drak3 said:

Wasn't there enough reason to not use NVMe RAID?

 

Things like, y'know:

Expense

No real world benefit

Better ways of conducting ePeen contests

Expense

Don't forget Expense

[Drak3]

Just now, sazrocks said:

Don't forget Expense

But did you consider, the COSTS?!

[Guest]

31 minutes ago, Drak3 said:

Wasn't there enough reason to not use NVMe RAID?

 

Things like, y'know:

Expense

No real world benefit

Better ways of conducting ePeen contests

Expense

This actually impacts anyone who uses RAID w/ AMD's RAID config tool. It isn't limited to NVMe, I think they just didn't bother testing outside of that use case.

[leadeater]

45 minutes ago, Drak3 said:

But did you consider, the COSTS?!

Have you considered the TCO of this solution?!

 

[Misanthrope]

Well that's the thing about Linux really: You might be able to get an awesomely talented engineer on Linux driver duty and while it might be relatively easy for him to get familiar enough with the environment to code drivers, it shows that you truly need someone who's not only a talented software engineer but well versed ìn Linux too.

 

It's hard to find too many of those that are well, not already working for Redhat, Oracle, Google, etc. 

[Drak3]

2 minutes ago, leadeater said:

Have you considered the TCO of this solution?!

 

[flipped_bit]

Am I missing something, why is XAMPP needed to install a driver?  XAMPP is meant for setting up a quick and dirty dev environment for the LAMP stack.  

[Liltrekkie]

1 hour ago, flipped_bit said:

Am I missing something, why is XAMPP needed to install a driver?  XAMPP is meant for setting up a quick and dirty dev environment for the LAMP stack.  

It provides the backbone for the web GUI. 

 

Why they used a web GUI, I dunno. I think the reason they made it like this is because of enterprise workstations that can leverage the use of a web GUI. Although most people hide behind a router that doesn't allow external connections to the local IP unless port forwarded, only the local network is exposed to one another. 

 

While it is indeed a security risk, it's only a security risk on the local network, unless you have UPNP enabled or something like that. 

[Sniperfox47]

3 hours ago, Drak3 said:

Wasn't there enough reason to not use NVMe RAID?

 

Things like, y'know:

Expense

No real world benefit

Better ways of conducting ePeen contests

Expense

Except threadripper may be used in some high end workstation solutions where maximising throughput to a single drive or array is important. Things like 8k and 16k video editing, scientific modeling, and other such tasks. NVMe RAID is useless for consumer/prosumer but pretty useful for professional, enterprise, and academic use.

[SansVarnic]

@muddymind please update your post to meet the News & Reviews Section Posting Guidelines.

 

You review the guidelines here;

Otherwise your post will be moved.

[LAwLz]

This seems like a really, really stupid thing.

Who in their right mind makes their driver control panel a web interface? That's bloated (and as discovered by Wendell, a security risk) beyond belief. Not to mention all the issues that might arise if you don't know about this and try to run a web server with RAID.

 

AMD truly are the kings of terrible drivers.

[LinusTech]

2 minutes ago, LAwLz said:

This seems like a really, really stupid thing.

Who in their right mind makes their driver control panel a web interface? That's bloated (and as discovered by Wendell, a security risk) beyond belief. Not to mention all the issues that might arise if you don't know about this and try to run a web server with RAID.

 

AMD truly are the kings of terrible drivers.

In AMD’s defence, web-based management utilities are pretty much par for the course for hardware raid cards. ..

[LAwLz]

Just now, LinusTech said:

In AMD’s defence, web-based management utilities are pretty much par for the course for hardware raid cards. ..

Not sure if that's much of a defense in my eyes. It just means that a lot of companies are stupid.

 

Or maybe I'm the stupid one and there is some big benefit to having RAID management utilities on a web server that I can't think of.

[Sniperfox47]

14 minutes ago, LAwLz said:

Not sure if that's much of a defense in my eyes. It just means that a lot of companies are stupid.

 

Or maybe I'm the stupid one and there is some big benefit to having RAID management utilities on a web server that I can't think of.

Ease of deployment. Also makes it easier to expose the control software to a third party like a system administrator who may need to monitor or control the RAID remotely.

 

Not defending it, it's a terribly insecure practice, but one that's pretty standard in the industry.

[leadeater]

1 hour ago, LinusTech said:

In AMD’s defence, web-based management utilities are pretty much par for the course for hardware raid cards. ..

 

1 hour ago, LAwLz said:

Not sure if that's much of a defense in my eyes. It just means that a lot of companies are stupid.

 

Or maybe I'm the stupid one and there is some big benefit to having RAID management utilities on a web server that I can't think of.

Web based management isn't the issue though, it's the glaring security issue with this particular one. Being able to remotely manage things like this is extremely useful so long as it's not a liability to the system.

 

LSI RAID cards have had remote management for many many years, done properly(er/ish). Having to shutdown an ESXi host just to add a new disk to an array would be so annoying and disruptive without this ability.

[muddymind]

5 hours ago, SansVarnic said:

@muddymind please update your post to meet the News & Reviews Section Posting Guidelines.

Updated the thread title and 1st post content to reflect that Raid Xpert2 is the issue and not the threadripper NVMe drivers themselves. I hope that makes the post compliant to all the guidelines. (Quotes from the original source rule is not applicable since it's a video and not a written article).

[LAwLz]

1 hour ago, leadeater said:

Web based management isn't the issue though, it's the glaring security issue with this particular one. Being able to remotely manage things like this is extremely useful so long as it's not a liability to the system.

 

LSI RAID cards have had remote management for many many years, done properly(er/ish). Having to shutdown an ESXi host just to add a new disk to an array would be so annoying and disruptive without this ability.

But if it's an ESXi host then you should be able to remote into it.

No need to expose RAID controls to remote devices directly through a web interface. It just seems like a bad idea to do it over a web server.

(Please bear in mind I am not that involved with servers, and even less with RAID on servers)

[leadeater]

17 minutes ago, LAwLz said:

But if it's an ESXi host then you should be able to remote into it.

No need to expose RAID controls to remote devices directly through a web interface. It just seems like a bad idea to do it over a web server.

(Please bear in mind I am not that involved with servers, and even less with RAID on servers)

LSI is a bit nicer in that it runs the remote tools on chip on the card, ESXi can only see the storage that the RAID card shows it so you need a way to configure that then using the ESXi management tools rescan your storage and extend the datastore using the new space that was allocated to the volume/array. LSI also has multiple different authentication methods that you can use to secure this remote management including LDAP.

 

Edit:

Also local only storage using a RAID card for ESXi is rather rare now days anyway.

 

Edit 2:

Sorry was wrong you need an on host daemon for the MSM to connect to, the RAID card does have on chip management but only for it's web bios that can be accessed only during booting.

[Doobeedoo]

So I've seen vid about it earlier today and was like 

But yeah I guess it can easily get rectified.  

[Spenser1337]

God posted here.