Difference between revisions of "SVG:Advisiory-SVG-2011-505"
Jump to navigation
Jump to search
Line 3: | Line 3: | ||
<pre> | <pre> | ||
The | ** WHITE information - Unlimited distribution allowed ** | ||
for | |||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
EGI Software Vulnerability Group (SVG) ADVISORY [EGI-SVG-2011-505] | |||
Title: HIGH - VOMS Admin vulnerabilities found by carrying out detailed vulnerability | |||
assessment of the package | |||
Date: 2011-01-14, updated 2011-04-19 | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisories/Advisory-SVG-2011-505 | |||
(alt) https://wiki.egi.eu/wiki/SVG:Advisories/Advisory-SVG-2011-01-14n01 | |||
Introduction | |||
============ | |||
This advisory is being issued as a new version of VOMS admin has been released as part | |||
of gLite 3.2 which resolves 4 vulnerabilities found when a detailed vulnerability | |||
assessement was carried out on this package. | |||
Details | |||
======= | |||
The Vulnerability Assessement Group at the University of Wisconsin have developed a First | |||
Principles Vulnerability Assessment (FPVA) methodology [R1]. This was carried out on VOMS | |||
Admin Version 2.0.15 and 4 vulnerabilities were found. | |||
These Vulnerabilities are as follows: | |||
1. Any remote user with a valid certificate can inject malicious client side web code to the | |||
VOMS-Admin database. However, exploiting this vulnerability requires a user to have a valid, | |||
specially crafted, non-revoked certificate, signed by a trusted Certificate Authority which | |||
would be difficult to obtain. | |||
2. Any remote user with a valid certificate can inject malicious client side web code to the | |||
VOMS-Admin database, thus inducing VOMS-Admin users to execute unwanted actions. However the | |||
attacker needs to carry out some social engineering on the VO administrator which most VO | |||
administrators should be wary of. | |||
3. VOMS admin actions are vulnerable to client side script injections. This may allow users to | |||
carry out actions which should only be carried out by a VOMS administrator and combined with | |||
another feature there is a possibility of a user gaining 'root' access to VOMS admin. | |||
4. Some VOMS-Admin actions are vulnerable to client side script injections. However in this | |||
case the attacker needs to carry out some social engineering on the VO administrator which | |||
most VO administrators should be wary of. | |||
Risk Category | |||
============= | |||
The EGI SVG Risk Assessement Team (RAT) has assessed these 4 vulnerabilities. | |||
1. Assessed as 'Low' Risk | |||
2. Assessed as 'Moderate' Risk | |||
3. Assessed as 'High' Risk | |||
4. Assessed as 'Moderate' Risk | |||
Affected Software | |||
================= | |||
VOMS Admin version 2.5.0 and earlier versions. | |||
2.0.2-2 is the current version released as part of gLite 3.2 | |||
Earlier versions of VOMS Admin may also be affected by some or all of these | |||
vulnerabilities. | |||
Component Installation information | |||
================================== | |||
Release details may be found at http://glite.cern.ch/R3.2/sl5_x86_64/updates/ | |||
Detailed instructions for updating are provided by gLite in the patch details at | |||
https://savannah.cern.ch/patch/index.php?4583 | |||
Recommendations | |||
=============== | |||
The SVG recommends that sites running VOMS admin and clients update to the latest version | |||
(2.5.5 or later) as soon as possible, since one of the 4 vulnerabilities has been assessed | |||
as 'High' risk. | |||
Credit | |||
====== | |||
This vulnerabilities were found and reported by James Kupsch, Elisa Heymann, Eduardo Cesar | |||
and Guifre Ruiz when carrying out detailed security vulnerability assessment of this package. | |||
References | |||
========== | |||
[R1] http://www.cs.wisc.edu/mist/includes/vuln.html | |||
Timeline | |||
======== | |||
Yyyy-mm-dd | |||
2010-11-15 Vulnerability reported by James Kupsch | |||
2010-11-15 Acknowlegement from the EGI SVG to the reporter | |||
2010-11-15 Software providers responded and involved in investigation | |||
2010-11-19 Assessment by the EGI Software Vulnerability Group reported to the software providers | |||
2011-02-09 Updated packages available from gLite | |||
Public disclosure delayed to allow patch to be produced for OSG usage | |||
2011-04-19 Public disclosure | |||
On behalf of the EGI SVG | |||
</pre> | </pre> |
Revision as of 15:15, 19 April 2011
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisiory-SVG-2011-505
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI Software Vulnerability Group (SVG) ADVISORY [EGI-SVG-2011-505] Title: HIGH - VOMS Admin vulnerabilities found by carrying out detailed vulnerability assessment of the package Date: 2011-01-14, updated 2011-04-19 URL: https://wiki.egi.eu/wiki/SVG:Advisories/Advisory-SVG-2011-505 (alt) https://wiki.egi.eu/wiki/SVG:Advisories/Advisory-SVG-2011-01-14n01 Introduction ============ This advisory is being issued as a new version of VOMS admin has been released as part of gLite 3.2 which resolves 4 vulnerabilities found when a detailed vulnerability assessement was carried out on this package. Details ======= The Vulnerability Assessement Group at the University of Wisconsin have developed a First Principles Vulnerability Assessment (FPVA) methodology [R1]. This was carried out on VOMS Admin Version 2.0.15 and 4 vulnerabilities were found. These Vulnerabilities are as follows: 1. Any remote user with a valid certificate can inject malicious client side web code to the VOMS-Admin database. However, exploiting this vulnerability requires a user to have a valid, specially crafted, non-revoked certificate, signed by a trusted Certificate Authority which would be difficult to obtain. 2. Any remote user with a valid certificate can inject malicious client side web code to the VOMS-Admin database, thus inducing VOMS-Admin users to execute unwanted actions. However the attacker needs to carry out some social engineering on the VO administrator which most VO administrators should be wary of. 3. VOMS admin actions are vulnerable to client side script injections. This may allow users to carry out actions which should only be carried out by a VOMS administrator and combined with another feature there is a possibility of a user gaining 'root' access to VOMS admin. 4. Some VOMS-Admin actions are vulnerable to client side script injections. However in this case the attacker needs to carry out some social engineering on the VO administrator which most VO administrators should be wary of. Risk Category ============= The EGI SVG Risk Assessement Team (RAT) has assessed these 4 vulnerabilities. 1. Assessed as 'Low' Risk 2. Assessed as 'Moderate' Risk 3. Assessed as 'High' Risk 4. Assessed as 'Moderate' Risk Affected Software ================= VOMS Admin version 2.5.0 and earlier versions. 2.0.2-2 is the current version released as part of gLite 3.2 Earlier versions of VOMS Admin may also be affected by some or all of these vulnerabilities. Component Installation information ================================== Release details may be found at http://glite.cern.ch/R3.2/sl5_x86_64/updates/ Detailed instructions for updating are provided by gLite in the patch details at https://savannah.cern.ch/patch/index.php?4583 Recommendations =============== The SVG recommends that sites running VOMS admin and clients update to the latest version (2.5.5 or later) as soon as possible, since one of the 4 vulnerabilities has been assessed as 'High' risk. Credit ====== This vulnerabilities were found and reported by James Kupsch, Elisa Heymann, Eduardo Cesar and Guifre Ruiz when carrying out detailed security vulnerability assessment of this package. References ========== [R1] http://www.cs.wisc.edu/mist/includes/vuln.html Timeline ======== Yyyy-mm-dd 2010-11-15 Vulnerability reported by James Kupsch 2010-11-15 Acknowlegement from the EGI SVG to the reporter 2010-11-15 Software providers responded and involved in investigation 2010-11-19 Assessment by the EGI Software Vulnerability Group reported to the software providers 2011-02-09 Updated packages available from gLite Public disclosure delayed to allow patch to be produced for OSG usage 2011-04-19 Public disclosure On behalf of the EGI SVG