The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:Advisiory-SVG-2011-505"
Jump to navigation
Jump to search
| Line 3: | Line 3: | ||
<pre> | <pre> | ||
The | ** WHITE information - Unlimited distribution allowed ** | ||
for | |||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
EGI Software Vulnerability Group (SVG) ADVISORY [EGI-SVG-2011-505] | |||
Title: HIGH - VOMS Admin vulnerabilities found by carrying out detailed vulnerability | |||
assessment of the package | |||
Date: 2011-01-14, updated 2011-04-19 | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisories/Advisory-SVG-2011-505 | |||
(alt) https://wiki.egi.eu/wiki/SVG:Advisories/Advisory-SVG-2011-01-14n01 | |||
Introduction | |||
============ | |||
This advisory is being issued as a new version of VOMS admin has been released as part | |||
of gLite 3.2 which resolves 4 vulnerabilities found when a detailed vulnerability | |||
assessement was carried out on this package. | |||
Details | |||
======= | |||
The Vulnerability Assessement Group at the University of Wisconsin have developed a First | |||
Principles Vulnerability Assessment (FPVA) methodology [R1]. This was carried out on VOMS | |||
Admin Version 2.0.15 and 4 vulnerabilities were found. | |||
These Vulnerabilities are as follows: | |||
1. Any remote user with a valid certificate can inject malicious client side web code to the | |||
VOMS-Admin database. However, exploiting this vulnerability requires a user to have a valid, | |||
specially crafted, non-revoked certificate, signed by a trusted Certificate Authority which | |||
would be difficult to obtain. | |||
2. Any remote user with a valid certificate can inject malicious client side web code to the | |||
VOMS-Admin database, thus inducing VOMS-Admin users to execute unwanted actions. However the | |||
attacker needs to carry out some social engineering on the VO administrator which most VO | |||
administrators should be wary of. | |||
3. VOMS admin actions are vulnerable to client side script injections. This may allow users to | |||
carry out actions which should only be carried out by a VOMS administrator and combined with | |||
another feature there is a possibility of a user gaining 'root' access to VOMS admin. | |||
4. Some VOMS-Admin actions are vulnerable to client side script injections. However in this | |||
case the attacker needs to carry out some social engineering on the VO administrator which | |||
most VO administrators should be wary of. | |||
Risk Category | |||
============= | |||
The EGI SVG Risk Assessement Team (RAT) has assessed these 4 vulnerabilities. | |||
1. Assessed as 'Low' Risk | |||
2. Assessed as 'Moderate' Risk | |||
3. Assessed as 'High' Risk | |||
4. Assessed as 'Moderate' Risk | |||
Affected Software | |||
================= | |||
VOMS Admin version 2.5.0 and earlier versions. | |||
2.0.2-2 is the current version released as part of gLite 3.2 | |||
Earlier versions of VOMS Admin may also be affected by some or all of these | |||
vulnerabilities. | |||
Component Installation information | |||
================================== | |||
Release details may be found at http://glite.cern.ch/R3.2/sl5_x86_64/updates/ | |||
Detailed instructions for updating are provided by gLite in the patch details at | |||
https://savannah.cern.ch/patch/index.php?4583 | |||
Recommendations | |||
=============== | |||
The SVG recommends that sites running VOMS admin and clients update to the latest version | |||
(2.5.5 or later) as soon as possible, since one of the 4 vulnerabilities has been assessed | |||
as 'High' risk. | |||
Credit | |||
====== | |||
This vulnerabilities were found and reported by James Kupsch, Elisa Heymann, Eduardo Cesar | |||
and Guifre Ruiz when carrying out detailed security vulnerability assessment of this package. | |||
References | |||
========== | |||
[R1] http://www.cs.wisc.edu/mist/includes/vuln.html | |||
Timeline | |||
======== | |||
Yyyy-mm-dd | |||
2010-11-15 Vulnerability reported by James Kupsch | |||
2010-11-15 Acknowlegement from the EGI SVG to the reporter | |||
2010-11-15 Software providers responded and involved in investigation | |||
2010-11-19 Assessment by the EGI Software Vulnerability Group reported to the software providers | |||
2011-02-09 Updated packages available from gLite | |||
Public disclosure delayed to allow patch to be produced for OSG usage | |||
2011-04-19 Public disclosure | |||
On behalf of the EGI SVG | |||
</pre> | </pre> | ||
Revision as of 15:15, 19 April 2011
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisiory-SVG-2011-505
** WHITE information - Unlimited distribution allowed **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
EGI Software Vulnerability Group (SVG) ADVISORY [EGI-SVG-2011-505]
Title: HIGH - VOMS Admin vulnerabilities found by carrying out detailed vulnerability
assessment of the package
Date: 2011-01-14, updated 2011-04-19
URL: https://wiki.egi.eu/wiki/SVG:Advisories/Advisory-SVG-2011-505
(alt) https://wiki.egi.eu/wiki/SVG:Advisories/Advisory-SVG-2011-01-14n01
Introduction
============
This advisory is being issued as a new version of VOMS admin has been released as part
of gLite 3.2 which resolves 4 vulnerabilities found when a detailed vulnerability
assessement was carried out on this package.
Details
=======
The Vulnerability Assessement Group at the University of Wisconsin have developed a First
Principles Vulnerability Assessment (FPVA) methodology [R1]. This was carried out on VOMS
Admin Version 2.0.15 and 4 vulnerabilities were found.
These Vulnerabilities are as follows:
1. Any remote user with a valid certificate can inject malicious client side web code to the
VOMS-Admin database. However, exploiting this vulnerability requires a user to have a valid,
specially crafted, non-revoked certificate, signed by a trusted Certificate Authority which
would be difficult to obtain.
2. Any remote user with a valid certificate can inject malicious client side web code to the
VOMS-Admin database, thus inducing VOMS-Admin users to execute unwanted actions. However the
attacker needs to carry out some social engineering on the VO administrator which most VO
administrators should be wary of.
3. VOMS admin actions are vulnerable to client side script injections. This may allow users to
carry out actions which should only be carried out by a VOMS administrator and combined with
another feature there is a possibility of a user gaining 'root' access to VOMS admin.
4. Some VOMS-Admin actions are vulnerable to client side script injections. However in this
case the attacker needs to carry out some social engineering on the VO administrator which
most VO administrators should be wary of.
Risk Category
=============
The EGI SVG Risk Assessement Team (RAT) has assessed these 4 vulnerabilities.
1. Assessed as 'Low' Risk
2. Assessed as 'Moderate' Risk
3. Assessed as 'High' Risk
4. Assessed as 'Moderate' Risk
Affected Software
=================
VOMS Admin version 2.5.0 and earlier versions.
2.0.2-2 is the current version released as part of gLite 3.2
Earlier versions of VOMS Admin may also be affected by some or all of these
vulnerabilities.
Component Installation information
==================================
Release details may be found at http://glite.cern.ch/R3.2/sl5_x86_64/updates/
Detailed instructions for updating are provided by gLite in the patch details at
https://savannah.cern.ch/patch/index.php?4583
Recommendations
===============
The SVG recommends that sites running VOMS admin and clients update to the latest version
(2.5.5 or later) as soon as possible, since one of the 4 vulnerabilities has been assessed
as 'High' risk.
Credit
======
This vulnerabilities were found and reported by James Kupsch, Elisa Heymann, Eduardo Cesar
and Guifre Ruiz when carrying out detailed security vulnerability assessment of this package.
References
==========
[R1] http://www.cs.wisc.edu/mist/includes/vuln.html
Timeline
========
Yyyy-mm-dd
2010-11-15 Vulnerability reported by James Kupsch
2010-11-15 Acknowlegement from the EGI SVG to the reporter
2010-11-15 Software providers responded and involved in investigation
2010-11-19 Assessment by the EGI Software Vulnerability Group reported to the software providers
2011-02-09 Updated packages available from gLite
Public disclosure delayed to allow patch to be produced for OSG usage
2011-04-19 Public disclosure
On behalf of the EGI SVG