Difference between revisions of "SVG:Advisory-SVG-2015-8479"
Jump to navigation
Jump to search
Line 3: | Line 3: | ||
<pre> | <pre> | ||
This | |||
** WHITE information - Unlimited distribution allowed ** | |||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
EGI SVG ADVISORY [EGI-SVG-2015-8479] | |||
Title: EGI SVG Advisory 'High' RISK - perfSONAR potential for a remote root exploit | |||
(in non-recommended configuration) [EGI-SVG-2015-8479] | |||
Date: 2015-05-07 | |||
Updated: 2015-05-27 | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-8479 | |||
Introduction | |||
============ | |||
A vulnerability has been found in fakewww, which is part of the NDT package, which in turn is part of perfSONAR, | |||
which could potentially lead to a remote root exploit. | |||
This has been fixed in NDT version 3.7.0 which is part of perfSONAR 3.4.2 and sites should make sure they have | |||
auto-updates enabled as recommended or update manually. | |||
If sites are configured as recommended by the WLCG perfSONAR team, in [R 1], with NDT disabled, then they are | |||
not vulnerable even if they are running a vulnerable version of perfSONAR. | |||
However, it is not clear how many sites in the EGI or WLCG environment are configured such that NDT is not disabled. | |||
Sites running perfSONAR are asked to check they do not have a vulnerable configuration and take action if necessary. | |||
Details | |||
======= | |||
The potential for a remote exploit has been found in in fakewww, which is part of the NDT package, | |||
which in turn is part of perfSONAR. | |||
If sites are configured as recommended by the perfSONAR team, with NDT disabled, then they are not vulnerable. | |||
See [R 1] | |||
It is not clear how many sites are vulnerable, the tools which CSIRT normally uses for checking for vulnerabilities | |||
cannot be used to check for this. | |||
This has been fixed in NDT version 3.7.0 which is part of perfSONAR 3.4.2 and sites should make sure they have | |||
auto-updates enabled as recommended or update manually. | |||
Risk category | |||
============= | |||
This issue has been assessed as 'High' risk by the EGI SVG Risk Assessment Team. | |||
Affected software | |||
================= | |||
All versions of perfSONAR running NDT version prior to 3.7.0 are vulnerable. | |||
If NDT is disabled as recommended, then sites are not vulnerable. | |||
Mitigation | |||
========== | |||
Sites running perfSONAR should check that NDT is disabled as recommended and if it is not disabled either update | |||
urgently or disable NDT. | |||
Component installation information | |||
================================== | |||
Please see the perfSONAR wiki instructions [R 1] | |||
A “yum update” will mitigate this security problem with no other steps needed. | |||
However, for those who do not trust fakewww and prefer to use Apache instead, | |||
doing a “yum install ndt-server-apache” would switch NDT to use Apache. | |||
It is necessary to install package 'ndt-server-apache' using yum, | |||
and run "service ndt restart" and "service httpd restart". | |||
Recommendations | |||
=============== | |||
Sites running perfSONAR should check that NDT is disabled as in instructions in [R 1] | |||
Sites should also check that they are running the latest version of NDT (3.7.0) and preferably | |||
(as recommended by the perfSONAR team) have auto-updates enabled. | |||
Credit | |||
====== | |||
This vulnerability was reported by Simon Fayer from Imperial College, London | |||
References | |||
========== | |||
[R 1] https://twiki.opensciencegrid.org/bin/view/Documentation/InstallUpdatePS | |||
Timeline | |||
======== | |||
Yyyy-mm-dd | |||
2015-04-18 Vulnerability reported by Simon Fayer (a member of SVG) | |||
2015-04-22 Software providers responded and involved in investigation | |||
2015-04-30 Assessment by the EGI Software Vulnerability Group reported to the software providers | |||
2015-05-01 Updated packages available at perfSONAR website | |||
2015-05-07 Advisory sent to sites | |||
2015-05-27 Public disclosure | |||
</pre> | </pre> |
Latest revision as of 12:54, 27 May 2015
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2015-8479
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2015-8479] Title: EGI SVG Advisory 'High' RISK - perfSONAR potential for a remote root exploit (in non-recommended configuration) [EGI-SVG-2015-8479] Date: 2015-05-07 Updated: 2015-05-27 URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-8479 Introduction ============ A vulnerability has been found in fakewww, which is part of the NDT package, which in turn is part of perfSONAR, which could potentially lead to a remote root exploit. This has been fixed in NDT version 3.7.0 which is part of perfSONAR 3.4.2 and sites should make sure they have auto-updates enabled as recommended or update manually. If sites are configured as recommended by the WLCG perfSONAR team, in [R 1], with NDT disabled, then they are not vulnerable even if they are running a vulnerable version of perfSONAR. However, it is not clear how many sites in the EGI or WLCG environment are configured such that NDT is not disabled. Sites running perfSONAR are asked to check they do not have a vulnerable configuration and take action if necessary. Details ======= The potential for a remote exploit has been found in in fakewww, which is part of the NDT package, which in turn is part of perfSONAR. If sites are configured as recommended by the perfSONAR team, with NDT disabled, then they are not vulnerable. See [R 1] It is not clear how many sites are vulnerable, the tools which CSIRT normally uses for checking for vulnerabilities cannot be used to check for this. This has been fixed in NDT version 3.7.0 which is part of perfSONAR 3.4.2 and sites should make sure they have auto-updates enabled as recommended or update manually. Risk category ============= This issue has been assessed as 'High' risk by the EGI SVG Risk Assessment Team. Affected software ================= All versions of perfSONAR running NDT version prior to 3.7.0 are vulnerable. If NDT is disabled as recommended, then sites are not vulnerable. Mitigation ========== Sites running perfSONAR should check that NDT is disabled as recommended and if it is not disabled either update urgently or disable NDT. Component installation information ================================== Please see the perfSONAR wiki instructions [R 1] A “yum update” will mitigate this security problem with no other steps needed. However, for those who do not trust fakewww and prefer to use Apache instead, doing a “yum install ndt-server-apache” would switch NDT to use Apache. It is necessary to install package 'ndt-server-apache' using yum, and run "service ndt restart" and "service httpd restart". Recommendations =============== Sites running perfSONAR should check that NDT is disabled as in instructions in [R 1] Sites should also check that they are running the latest version of NDT (3.7.0) and preferably (as recommended by the perfSONAR team) have auto-updates enabled. Credit ====== This vulnerability was reported by Simon Fayer from Imperial College, London References ========== [R 1] https://twiki.opensciencegrid.org/bin/view/Documentation/InstallUpdatePS Timeline ======== Yyyy-mm-dd 2015-04-18 Vulnerability reported by Simon Fayer (a member of SVG) 2015-04-22 Software providers responded and involved in investigation 2015-04-30 Assessment by the EGI Software Vulnerability Group reported to the software providers 2015-05-01 Updated packages available at perfSONAR website 2015-05-07 Advisory sent to sites 2015-05-27 Public disclosure