Difference between revisions of "SVG:Advisory-SVG-2016-11363"
Jump to navigation
Jump to search
(Created page with " {{svg-header}} <pre> Title: EGI SVG Advisory [TLP:WHITE] 'Moderate' risk Two Perfsonar Vulnerabilities announced by the Perfsonar team [EGI-SVG-2016-11363] Date: ...") |
|||
Line 1: | Line 1: | ||
{{svg-header}} | {{svg-header}} | ||
<pre> | <pre> | ||
Title: EGI SVG Advisory [TLP:WHITE] 'Moderate' risk Two Perfsonar Vulnerabilities announced by the Perfsonar team [EGI-SVG-2016-11363] | Title: EGI SVG Advisory [TLP:WHITE] 'Moderate' risk Two Perfsonar | ||
Vulnerabilities announced by the Perfsonar team [EGI-SVG-2016-11363] | |||
Date: 2016-07-15 | Date: 2016-07-15 | ||
Line 17: | Line 17: | ||
Package : Perfsonar | Package : Perfsonar | ||
One vulnerability concerns remote unauthenticated file access, the other concerns privilege escalation. In this case has been assessed as 'Moderate' risk. | One vulnerability concerns remote unauthenticated file access, the other concerns | ||
privilege escalation. In this case has been assessed as 'Moderate' risk. | |||
Actions required/recommended | Actions required/recommended | ||
Line 40: | Line 41: | ||
Information on this vulnerability is public. | Information on this vulnerability is public. | ||
It is considered that the information exposed is not especially sensitive, hence a lower risk than would be expected is assigned to this issue allowing unauthenticated file access than would normally be the case. | It is considered that the information exposed is not especially sensitive, hence a lower risk | ||
than would be expected is assigned to this issue allowing unauthenticated file access than would | |||
normally be the case. | |||
As announced by Perfsonar: | As announced by Perfsonar: | ||
Updated perfSONAR packages were published this morning to address security concerns. A special thanks to Luke Young for taking the time to find, document and provide a few patches for the items detailed below. The updates address the following issues: | Updated perfSONAR packages were published this morning to address security concerns. A special | ||
thanks to Luke Young for taking the time to find, document and provide a few patches for the items | |||
detailed below. The updates address the following issues: | |||
1.It was possible to generate a carefully crafted SOAP message that goes to the OPPD service that would allow an unauthenticated user to read arbitrary files from the filesystem as the 'perfsonar' user. This was done by exploiting a feature of LibXML that processes external entities. The ability to do so has since been disabled. | 1.It was possible to generate a carefully crafted SOAP message that goes to the OPPD service that would | ||
allow an unauthenticated user to read arbitrary files from the filesystem as the 'perfsonar' user. | |||
This was done by exploiting a feature of LibXML that processes external entities. The ability to do so | |||
has since been disabled. | |||
2.The second issue allowed someone logged-in to the host via SSH as an unprivileged user to escalate to root privileges using a combination of the Toolkit’s ConfigManager and BWCTL’s posthook feature. ConfigManager did not actually need access to the BWCTL config file anymore, so access to this file (and thus the posthook feature) has been removed. | 2.The second issue allowed someone logged-in to the host via SSH as an unprivileged user to escalate to | ||
root privileges using a combination of the Toolkit’s ConfigManager and BWCTL’s posthook feature. | |||
ConfigManager did not actually need access to the BWCTL config file anymore, so access to this file | |||
(and thus the posthook feature) has been removed. | |||
If auto-updates are enabled, the updates will install automatically. It is also possible to run “yum update libperfsonar* perfsonar-toolkit* perfsonar-oppd*” to get the changes manually on RedHat and "apt-get update && apt-get upgrade libperfsonar* perfsonar-toolkit* perfsonar-oppd*” on Debian. | If auto-updates are enabled, the updates will install automatically. It is also possible to run | ||
“yum update libperfsonar* perfsonar-toolkit* perfsonar-oppd*” to get the changes manually on RedHat and | |||
"apt-get update && apt-get upgrade libperfsonar* perfsonar-toolkit* perfsonar-oppd*” on Debian. | |||
Latest revision as of 11:53, 15 July 2016
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2016-11363
Title: EGI SVG Advisory [TLP:WHITE] 'Moderate' risk Two Perfsonar Vulnerabilities announced by the Perfsonar team [EGI-SVG-2016-11363] Date: 2016-07-15 Updated: Affected software and risk ========================== 2 vulnerabilities have been announced by the Perfsonar team see [R 1] Package : Perfsonar One vulnerability concerns remote unauthenticated file access, the other concerns privilege escalation. In this case has been assessed as 'Moderate' risk. Actions required/recommended ============================ Sites are recommended to update relevant components as soon as is convenient. Affected software details ========================= Affected packages: * libperfsonar* < 3.5.1.8 * perfsonar-toolkit* < 3.5.1.4 * perfsonar-oppd-bwctl* < 3.5.1.1 More information ================ Information on this vulnerability is public. It is considered that the information exposed is not especially sensitive, hence a lower risk than would be expected is assigned to this issue allowing unauthenticated file access than would normally be the case. As announced by Perfsonar: Updated perfSONAR packages were published this morning to address security concerns. A special thanks to Luke Young for taking the time to find, document and provide a few patches for the items detailed below. The updates address the following issues: 1.It was possible to generate a carefully crafted SOAP message that goes to the OPPD service that would allow an unauthenticated user to read arbitrary files from the filesystem as the 'perfsonar' user. This was done by exploiting a feature of LibXML that processes external entities. The ability to do so has since been disabled. 2.The second issue allowed someone logged-in to the host via SSH as an unprivileged user to escalate to root privileges using a combination of the Toolkit’s ConfigManager and BWCTL’s posthook feature. ConfigManager did not actually need access to the BWCTL config file anymore, so access to this file (and thus the posthook feature) has been removed. If auto-updates are enabled, the updates will install automatically. It is also possible to run “yum update libperfsonar* perfsonar-toolkit* perfsonar-oppd*” to get the changes manually on RedHat and "apt-get update && apt-get upgrade libperfsonar* perfsonar-toolkit* perfsonar-oppd*” on Debian. Mitigation ========== N/A. Component installation information ================================== See the Perfsonar site [R 1] TLP and URL =========== ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-11363 Minor updates may be made without re-distribution to the sites Credit ====== SVG was alerted to this vulnerability by Mischa Salle who is a member of SVG References ========== [R 1] http://www.perfsonar.net/#20160707-security Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look. Timeline ======== Yyyy-mm-dd [EGI-SVG-2016-11363] 2016-07-11 SVG alerted to this issue by Mischa Salle 2016-07-11 Acknowledgement from the EGI SVG to the reporter 2016-07-14 EGI SVG Risk Assessment completed 2016-07-11 Updated packages available <in the EGI UMD/other location> 2016-07-15 Advisory/Alert sent to sites 2016-07-15 Public disclosure On behalf of the EGI SVG,