Difference between revisions of "SVG:Advisory-SVG-2016-11255"
Jump to navigation
Jump to search
Line 3: | Line 3: | ||
<pre> | <pre> | ||
This | |||
Title: EGI SVG Advisory [TLP:AMBER] Up to 'HIGH' risk DIRAC configuration - | |||
database passwords visible on Dirac interface [EGI-SVG-2016-11255] | |||
Date: 2016-07-04 | |||
Updated: | |||
Affected software and risk | |||
========================== | |||
Up to 'HIGH' risk - Dirac database passwords visible on Dirac interface | |||
Package :DIRAC | |||
One site has been found where database passwords are visible on the dirac interface. | |||
How widespread this problem is is not known, and how serious the risk is rather depends on | |||
how each dirac site is configured and what users can access. | |||
Actions required/recommended | |||
============================ | |||
Sites running DIRAC should check using the Mitigation below whether their sites are vulnerable, | |||
and carry out the actions described below if they are. | |||
Affected software details | |||
========================= | |||
This problem was found for a site running v6r15 with WebApp v1r6p26 already installed. | |||
It's not clear whether any specific versions are free from this problem. | |||
Sites who have installed their software according to [R 1] which was updated 24th June 2016 | |||
should avoid this problem. | |||
Mitigation | |||
========== | |||
This was provided by the DIRAC team. | |||
Sites can check by: | |||
- load the Configuration Manager application from the LHCb WebApp Portal | |||
- hit "download" or "view as text" buttons | |||
- grep for "Password" | |||
- if you don't find any, be happy | |||
- if you do, and it contains your DB password, keep reading | |||
If affected sites should Fix by: | |||
- log into your server machine(s) | |||
- define in $DIRACROOT/etc/dirac.cfg the following: | |||
LocalInstallation { | |||
Database | |||
{ | |||
#User name used to connect the DB server | |||
User = thisIsAUser #this is by default "Dirac" | |||
#Password for database user acess. Must be set for SystemAdministrator Service to work | |||
Password = thisIsAPassword #the one used for mysql -uDirac -p | |||
#Password for root DB user. Must be set for SystemAdministrator Service to work | |||
RootUser = thisIsAAdminUser #either 'root' or 'admin' | |||
RootPwd = thisIsAAdminPassword | |||
} | |||
} | |||
- Restart the DIRAC components | |||
- Remove the entry "Password" from the Configuration Manager App | |||
More information | |||
================ | |||
Original report:-- | |||
---------------- | |||
We noticed that our test dirac instance running v6r15 with WebApp | |||
v1r6p26 displays a database password in the webinterface in plain text | |||
to any user that has access to this dirac instance. We currently don't | |||
see this problem on our v6r14 production dirac server which uses the | |||
'old' dirac interface and not the WebApp. | |||
A quick cross check with one of my LHCb colleagues confirms that they | |||
are able to see the database passwords on the LHCb dirac instance's | |||
webinterface without any elevated privileges, just as plain lhcb_user. | |||
----------------- | |||
Note that it is not clear how many sites are affected. | |||
It has been stated by the DIRAC team that sites who install following the instructions | |||
at [R 1] as updated on 24th June 2016 should avoid this problem. | |||
Further investigations are on-going by the DIRAC team, including whether any improvements | |||
are needed to the DIRAC WebApp code so this can't happen again. | |||
Component installation information | |||
================================== | |||
Documentation on DIRAC installation is available at [R 1] which were updated on 24th June to avoid this problem. | |||
See also [R 2] | |||
TLP and URL | |||
=========== | |||
** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-11255 | |||
Minor updates may be made without re-distribution to the sites | |||
Credit | |||
====== | |||
This vulnerability was reported by Daniela Bauer from Imperial College, London UK. | |||
References | |||
========== | |||
[R 1] http://dirac.readthedocs.io/en/latest/AdministratorGuide/InstallingDIRACService/index.html | |||
[R 2] https://github.com/DIRACGrid/DIRAC/wiki | |||
Comments | |||
======== | |||
Comments or questions should be sent to svg-rat at mailman.egi.eu | |||
If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to | |||
report-vulnerability at egi.eu | |||
the EGI Software Vulnerability Group will take a look. | |||
Timeline | |||
======== | |||
Yyyy-mm-dd [EGI-SVG-2016-11255] | |||
2016-06-16 Vulnerability reported by Daniela Bauer | |||
2016-06-17 Acknowledgement from the EGI SVG to the reporter | |||
2016-06-21 Software providers responded and involved in investigation | |||
2016-06--- Investigation of vulnerability carried out | |||
2016-06-24 DIRAC updated documentation such that sites following new documentation should | |||
not be vulnerable. | |||
2016-06-28 Instructions received for other sites to check if they are vulnerable | |||
2016-06-29 Risk unclear. | |||
2016-07-04 Advisory/Alert sent to sites suggesting checking their installations | |||
2016-07-18 Public disclosure | |||
On behalf of the EGI SVG, | |||
</pre> | </pre> |
Revision as of 16:28, 18 July 2016
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2016-11255
Title: EGI SVG Advisory [TLP:AMBER] Up to 'HIGH' risk DIRAC configuration - database passwords visible on Dirac interface [EGI-SVG-2016-11255] Date: 2016-07-04 Updated: Affected software and risk ========================== Up to 'HIGH' risk - Dirac database passwords visible on Dirac interface Package :DIRAC One site has been found where database passwords are visible on the dirac interface. How widespread this problem is is not known, and how serious the risk is rather depends on how each dirac site is configured and what users can access. Actions required/recommended ============================ Sites running DIRAC should check using the Mitigation below whether their sites are vulnerable, and carry out the actions described below if they are. Affected software details ========================= This problem was found for a site running v6r15 with WebApp v1r6p26 already installed. It's not clear whether any specific versions are free from this problem. Sites who have installed their software according to [R 1] which was updated 24th June 2016 should avoid this problem. Mitigation ========== This was provided by the DIRAC team. Sites can check by: - load the Configuration Manager application from the LHCb WebApp Portal - hit "download" or "view as text" buttons - grep for "Password" - if you don't find any, be happy - if you do, and it contains your DB password, keep reading If affected sites should Fix by: - log into your server machine(s) - define in $DIRACROOT/etc/dirac.cfg the following: LocalInstallation { Database { #User name used to connect the DB server User = thisIsAUser #this is by default "Dirac" #Password for database user acess. Must be set for SystemAdministrator Service to work Password = thisIsAPassword #the one used for mysql -uDirac -p #Password for root DB user. Must be set for SystemAdministrator Service to work RootUser = thisIsAAdminUser #either 'root' or 'admin' RootPwd = thisIsAAdminPassword } } - Restart the DIRAC components - Remove the entry "Password" from the Configuration Manager App More information ================ Original report:-- ---------------- We noticed that our test dirac instance running v6r15 with WebApp v1r6p26 displays a database password in the webinterface in plain text to any user that has access to this dirac instance. We currently don't see this problem on our v6r14 production dirac server which uses the 'old' dirac interface and not the WebApp. A quick cross check with one of my LHCb colleagues confirms that they are able to see the database passwords on the LHCb dirac instance's webinterface without any elevated privileges, just as plain lhcb_user. ----------------- Note that it is not clear how many sites are affected. It has been stated by the DIRAC team that sites who install following the instructions at [R 1] as updated on 24th June 2016 should avoid this problem. Further investigations are on-going by the DIRAC team, including whether any improvements are needed to the DIRAC WebApp code so this can't happen again. Component installation information ================================== Documentation on DIRAC installation is available at [R 1] which were updated on 24th June to avoid this problem. See also [R 2] TLP and URL =========== ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-11255 Minor updates may be made without re-distribution to the sites Credit ====== This vulnerability was reported by Daniela Bauer from Imperial College, London UK. References ========== [R 1] http://dirac.readthedocs.io/en/latest/AdministratorGuide/InstallingDIRACService/index.html [R 2] https://github.com/DIRACGrid/DIRAC/wiki Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look. Timeline ======== Yyyy-mm-dd [EGI-SVG-2016-11255] 2016-06-16 Vulnerability reported by Daniela Bauer 2016-06-17 Acknowledgement from the EGI SVG to the reporter 2016-06-21 Software providers responded and involved in investigation 2016-06--- Investigation of vulnerability carried out 2016-06-24 DIRAC updated documentation such that sites following new documentation should not be vulnerable. 2016-06-28 Instructions received for other sites to check if they are vulnerable 2016-06-29 Risk unclear. 2016-07-04 Advisory/Alert sent to sites suggesting checking their installations 2016-07-18 Public disclosure On behalf of the EGI SVG,