New joke about security from EMC

Today EMC announced new security advisory:

According to release notes Content Server got following security “improvements” in 7.2:

I have no idea what does mean “dm_crypto_boot utility is enhanced to load an AEK into the shared memory” because this capability exists for a long time in Content Server, for example, quote from Admin Guide 6.7:

so, “dm_crypto_boot utility is enhanced to load an AEK into the shared memory” is not a security enhancement (actually, folks said me that now installer enforces entering passphrase for aek.key during installation), and the only enhancement is a support of RSA Lockbox, moreover, according to EMC it is the only option to “prevent” aek.key file from hijacking, but if you read carefully my post about CVE-2014-2515, you should know that RSA Lockbox does not introduce any security features – to open RSA Lockbox on another machine it’s enough to hijack following files from victim machine:

  • /etc/sysconfig/network – to get hostname
  • /etc/udev/rules.d/70-persistent-net.rules – to get information about network interfaces
  • /etc/sysconfig/network-scripts/ifcfg-*, /var/lib/dhclient/dhclient*.leases – to get more information about network interfaces
  • /proc/version, /proc/swaps, /proc/cpuinfo, /proc/partitions – RSA Lockbox uses these files to bind itself to specific machine

In next post I’m going to demonstrate how does it work.