SVG:Advisory-SVG-2014-7696
Jump to navigation
Jump to search
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2014-7696
** WHITE information - unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2014-7696] Title: EGI SVG Advisory 'High' risk FTS3 and GFAL2 allow attacker to impersonate other users and destroy their data [EGI-SVG-2014-7696] Date: 2014-12-08 Updated: 2014-12-10 This advisory will be placed on the wiki on or after 2014-12-22 URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2014-7696 Introduction ============ 2 vulnerabilities have been found concerning FTS3 and GFAL2 which allow an authorized user to access, write, and delete files with other authorized users credentials. These vulnerabilities have been fixed in the versions of FTS3 and GFAL2 available for use in the EGI infrastructure. Updated 10th December 2014 - clarify difference in cases where FTS3 server is running and where only GFAL is running. Details ======= 2 vulnerabilities have been found concerning FTS3 and GFAL2. These allow an authorized user to attack and destroy other user's data, and remove traces of what they have done. 1. The vulnerability that affects FTS3 allows an attacker *with valid credentials* to delete or submit files with any other user credentials (e.g. trigger a transfer or a deletion using ATLAS or LHCb delegated credentials) 2. The vulnerability that affects GFAL2 allows an attacker *with valid credentials* that controls an endpoint *with a valid certificate* to trigger a transfer copying any local file that FTS3 can read to a remote storage. This includes user's proxies and the server certificate and private key, among others. This attack cannot be detected unless debug output was enabled for the offending job, which is unlikely. Risk category ============= These issues have been assessed as 'High' risk by the EGI SVG Risk Assessment Team This is considered the more serious end of 'High'. Affected software ================= Fixed in FTS 3.2.30 earlier versions are likely to be vulnerable. Fixed in GFAL 2.8 and backported to GFAL 2.7.8. earlier versions are likely to be vulnerable. Mitigation ========== N/A. Component installation information ================================== Non vulnerable versions of FTS3 and GFAL may obtained from:-- http://grid-deployment.web.cern.ch/grid-deployment/dms/fts3/repos/el6/x86_64/ GFAL is available in EPEL https://fedoraproject.org/wiki/EPEL (FTS3 is also in EPEL testing) Recommendations =============== Updated 10th December 2014 Sites running FTS servers should update urgently if they have not already done so. Other sites should install the fixed GFAL package as part of normal routine updates. Other information ================= Added 10th December 2014 We have had some requests for further information concerning the use of GFAL2 on nodes other than FTS servers. We have discussed further with the software providers, the UKNGI security team, and the SVG found that:-- 1) In the case of an FTS3 server, the vulnerability is serious as described above, and sites should update both the FTS3 package (to at least 3.2.30-1) and the GFAL2 package (to at least 2.7.8-1) urgently. 2) For other node types with the GFAL2 clients installed (e.g. Worker Nodes and UIs), it is less serious and requires quite a contrived situation to exploit. So we recommend installing the fixed GFAL2 package as part of normal routine updates. Finally, GFAL 2.8 is expected to be released in February, but we would still suggest that sites install the fixed 2.7.8-1 release in the interim, rather than waiting. Credit ====== These vulnerabilities were reported by Alejandro Alvarez Ayllon from the FTS3 product team at CERN. Timeline ======== Yyyy-mm-dd 2014-11-18 Vulnerability reported by Alejandro Alvarez Ayllon from the product team 2014-11-18 Acknowledgement from the EGI SVG to the reporter 2014-11-20 Assessment by the EGI Software Vulnerability Group reported to the software providers 2014-12-04 Discussion on advisory and updates 2014-12-?? Updated packages available 2014-12-08 Advisory sent to sites. 2014-12-10 Updated advisory sent 2015-01-15 Public disclosure