|
|
| Line 3: |
Line 3: |
|
| |
|
| <pre> | | <pre> |
| | 19th April 2011. |
|
| |
|
| ** WHITE information - Unlimited distribution allowed **
| | This advisory has not been made public because patches are not available for some of our |
| | collaborating grid organisations. |
|
| |
|
| ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
| | Sites continue to be advised to update as soon as possible if they have not done so already. |
| | |
| | |
| EGI Software Vulnerability Group (SVG) ADVISORY [EGI-SVG-2011-505]
| |
| | |
| Title: HIGH - VOMS Admin vulnerabilities found by carrying out detailed vulnerability
| |
| | |
| assessment of the package
| |
| Date: 2011-01-14, updated 2011-04-19
| |
| | |
| | |
| | |
| URL: https://wiki.egi.eu/wiki/SVG:Advisories/Advisory-SVG-2011-505
| |
| (alt) https://wiki.egi.eu/wiki/SVG:Advisories/Advisory-SVG-2011-01-14n01
| |
| | |
| | |
| Introduction
| |
| ============
| |
| | |
| This advisory is being issued as a new version of VOMS admin has been released as part
| |
| of gLite 3.2 which resolves 4 vulnerabilities found when a detailed vulnerability
| |
| assessement was carried out on this package.
| |
| | |
| | |
| | |
| Details
| |
| =======
| |
| | |
| The Vulnerability Assessement Group at the University of Wisconsin have developed a First
| |
| Principles Vulnerability Assessment (FPVA) methodology [R1]. This was carried out on VOMS
| |
| Admin Version 2.0.15 and 4 vulnerabilities were found.
| |
| | |
| These Vulnerabilities are as follows:
| |
| | |
| 1. Any remote user with a valid certificate can inject malicious client side web code to the
| |
| | |
| VOMS-Admin database. However, exploiting this vulnerability requires a user to have a valid,
| |
| | |
| specially crafted, non-revoked certificate, signed by a trusted Certificate Authority which
| |
| | |
| would be difficult to obtain.
| |
| | |
| 2. Any remote user with a valid certificate can inject malicious client side web code to the
| |
| | |
| VOMS-Admin database, thus inducing VOMS-Admin users to execute unwanted actions. However the
| |
| | |
| attacker needs to carry out some social engineering on the VO administrator which most VO
| |
| | |
| administrators should be wary of.
| |
| | |
| 3. VOMS admin actions are vulnerable to client side script injections. This may allow users to
| |
| carry out actions which should only be carried out by a VOMS administrator and combined with
| |
| | |
| another feature there is a possibility of a user gaining 'root' access to VOMS admin.
| |
| | |
| 4. Some VOMS-Admin actions are vulnerable to client side script injections. However in this
| |
| case the attacker needs to carry out some social engineering on the VO administrator which
| |
| most VO administrators should be wary of.
| |
| | |
| | |
| | |
| Risk Category
| |
| =============
| |
| | |
| The EGI SVG Risk Assessement Team (RAT) has assessed these 4 vulnerabilities.
| |
| | |
| 1. Assessed as 'Low' Risk
| |
| | |
| 2. Assessed as 'Moderate' Risk
| |
| | |
| 3. Assessed as 'High' Risk
| |
| | |
| 4. Assessed as 'Moderate' Risk
| |
| | |
| | |
| | |
| Affected Software
| |
| =================
| |
| | |
| VOMS Admin version 2.5.0 and earlier versions.
| |
| | |
| 2.0.2-2 is the current version released as part of gLite 3.2
| |
| | |
| Earlier versions of VOMS Admin may also be affected by some or all of these
| |
| vulnerabilities.
| |
| | |
| | |
| | |
| Component Installation information
| |
| ==================================
| |
| | |
| Release details may be found at http://glite.cern.ch/R3.2/sl5_x86_64/updates/
| |
| | |
| Detailed instructions for updating are provided by gLite in the patch details at
| |
| https://savannah.cern.ch/patch/index.php?4583
| |
| | |
| | |
| | |
| Recommendations
| |
| ===============
| |
|
| |
| The SVG recommends that sites running VOMS admin and clients update to the latest version
| |
| (2.5.5 or later) as soon as possible, since one of the 4 vulnerabilities has been assessed
| |
| as 'High' risk.
| |
| | |
| | |
| | |
| Credit
| |
| ======
| |
| | |
| This vulnerabilities were found and reported by James Kupsch, Elisa Heymann, Eduardo Cesar
| |
| and Guifre Ruiz when carrying out detailed security vulnerability assessment of this package.
| |
| | |
| | |
| References
| |
| ==========
| |
| | |
| [R1] http://www.cs.wisc.edu/mist/includes/vuln.html
| |
| | |
| | |
| Timeline
| |
| ========
| |
| Yyyy-mm-dd
| |
| | |
| 2010-11-15 Vulnerability reported by James Kupsch
| |
| 2010-11-15 Acknowlegement from the EGI SVG to the reporter
| |
| 2010-11-15 Software providers responded and involved in investigation
| |
| 2010-11-19 Assessment by the EGI Software Vulnerability Group reported to the software providers
| |
| 2011-02-09 Updated packages available from gLite
| |
| Public disclosure delayed to allow patch to be produced for OSG usage
| |
| 2011-04-19 Public disclosure
| |
| | |
| | |
| On behalf of the EGI SVG
| |
|
| |
|
|
| |
|
| </pre> | | </pre> |
The wiki is deprecated and due to be decommissioned by the end of September 2022.