The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:Advisory-SVG-2014-7696"
Jump to navigation
Jump to search
(Created page with "{{svg-header}} <pre> Placeholder for 7696 - this advisory has not been released yet. </pre.") |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 3: | Line 3: | ||
<pre> | <pre> | ||
** WHITE information - unlimited distribution ** | |||
</pre | ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | ||
EGI SVG ADVISORY [EGI-SVG-2014-7696] | |||
Title: EGI SVG Advisory 'High' risk FTS3 and GFAL2 allow attacker to impersonate other users | |||
and destroy their data [EGI-SVG-2014-7696] | |||
Date: 2014-12-08 | |||
Updated: 2014-12-10 | |||
This advisory will be placed on the wiki on or after 2014-12-22 | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2014-7696 | |||
Introduction | |||
============ | |||
2 vulnerabilities have been found concerning FTS3 and GFAL2 which allow an authorized user to access, write, | |||
and delete files with other authorized users credentials. | |||
These vulnerabilities have been fixed in the versions of FTS3 and GFAL2 available for use in the EGI | |||
infrastructure. | |||
Updated 10th December 2014 - clarify difference in cases where FTS3 server is running and where only GFAL | |||
is running. | |||
Details | |||
======= | |||
2 vulnerabilities have been found concerning FTS3 and GFAL2. | |||
These allow an authorized user to attack and destroy other user's data, and remove traces of what they have done. | |||
1. The vulnerability that affects FTS3 allows an attacker *with valid credentials* to delete or submit | |||
files with any other user credentials (e.g. trigger a transfer or a deletion using ATLAS or LHCb | |||
delegated credentials) | |||
2. The vulnerability that affects GFAL2 allows an attacker *with valid credentials* that controls an | |||
endpoint *with a valid certificate* to trigger a transfer copying any local file that FTS3 can read | |||
to a remote storage. This includes user's proxies and the server certificate and private key, among others. | |||
This attack cannot be detected unless debug output was enabled for the offending job, which is unlikely. | |||
Risk category | |||
============= | |||
These issues have been assessed as 'High' risk by the EGI SVG Risk Assessment Team This is considered | |||
the more serious end of 'High'. | |||
Affected software | |||
================= | |||
Fixed in FTS 3.2.30 | |||
earlier versions are likely to be vulnerable. | |||
Fixed in GFAL 2.8 and backported to GFAL 2.7.8. | |||
earlier versions are likely to be vulnerable. | |||
Mitigation | |||
========== | |||
N/A. | |||
Component installation information | |||
================================== | |||
Non vulnerable versions of FTS3 and GFAL may obtained from:-- | |||
http://grid-deployment.web.cern.ch/grid-deployment/dms/fts3/repos/el6/x86_64/ | |||
GFAL is available in EPEL | |||
https://fedoraproject.org/wiki/EPEL | |||
(FTS3 is also in EPEL testing) | |||
Recommendations | |||
=============== | |||
Updated 10th December 2014 | |||
Sites running FTS servers should update urgently if they have not already done so. | |||
Other sites should install the fixed GFAL package as part of normal routine updates. | |||
Other information | |||
================= | |||
Added 10th December 2014 | |||
We have had some requests for further information concerning the use of GFAL2 on nodes other than FTS servers. | |||
We have discussed further with the software providers, the UKNGI security team, and the SVG found that:-- | |||
1) In the case of an FTS3 server, the vulnerability is serious as described above, and sites should update both | |||
the FTS3 package (to at least 3.2.30-1) and the GFAL2 package (to at least 2.7.8-1) urgently. | |||
2) For other node types with the GFAL2 clients installed (e.g. Worker Nodes and UIs), it is less | |||
serious and requires quite a contrived situation to exploit. So we recommend installing the fixed | |||
GFAL2 package as part of normal routine updates. | |||
Finally, GFAL 2.8 is expected to be released in February, but we would still suggest that sites | |||
install the fixed 2.7.8-1 release in the interim, rather than waiting. | |||
Credit | |||
====== | |||
These vulnerabilities were reported by Alejandro Alvarez Ayllon from the FTS3 product team at CERN. | |||
Timeline | |||
======== | |||
Yyyy-mm-dd | |||
2014-11-18 Vulnerability reported by Alejandro Alvarez Ayllon from the product team | |||
2014-11-18 Acknowledgement from the EGI SVG to the reporter | |||
2014-11-20 Assessment by the EGI Software Vulnerability Group reported to the software providers | |||
2014-12-04 Discussion on advisory and updates 2014-12-?? Updated packages available | |||
2014-12-08 Advisory sent to sites. | |||
2014-12-10 Updated advisory sent | |||
2015-01-15 Public disclosure | |||
</pre> | |||
Latest revision as of 15:49, 14 January 2015
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2014-7696
** WHITE information - unlimited distribution **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
EGI SVG ADVISORY [EGI-SVG-2014-7696]
Title: EGI SVG Advisory 'High' risk FTS3 and GFAL2 allow attacker to impersonate other users
and destroy their data [EGI-SVG-2014-7696]
Date: 2014-12-08
Updated: 2014-12-10
This advisory will be placed on the wiki on or after 2014-12-22
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2014-7696
Introduction
============
2 vulnerabilities have been found concerning FTS3 and GFAL2 which allow an authorized user to access, write,
and delete files with other authorized users credentials.
These vulnerabilities have been fixed in the versions of FTS3 and GFAL2 available for use in the EGI
infrastructure.
Updated 10th December 2014 - clarify difference in cases where FTS3 server is running and where only GFAL
is running.
Details
=======
2 vulnerabilities have been found concerning FTS3 and GFAL2.
These allow an authorized user to attack and destroy other user's data, and remove traces of what they have done.
1. The vulnerability that affects FTS3 allows an attacker *with valid credentials* to delete or submit
files with any other user credentials (e.g. trigger a transfer or a deletion using ATLAS or LHCb
delegated credentials)
2. The vulnerability that affects GFAL2 allows an attacker *with valid credentials* that controls an
endpoint *with a valid certificate* to trigger a transfer copying any local file that FTS3 can read
to a remote storage. This includes user's proxies and the server certificate and private key, among others.
This attack cannot be detected unless debug output was enabled for the offending job, which is unlikely.
Risk category
=============
These issues have been assessed as 'High' risk by the EGI SVG Risk Assessment Team This is considered
the more serious end of 'High'.
Affected software
=================
Fixed in FTS 3.2.30
earlier versions are likely to be vulnerable.
Fixed in GFAL 2.8 and backported to GFAL 2.7.8.
earlier versions are likely to be vulnerable.
Mitigation
==========
N/A.
Component installation information
==================================
Non vulnerable versions of FTS3 and GFAL may obtained from:--
http://grid-deployment.web.cern.ch/grid-deployment/dms/fts3/repos/el6/x86_64/
GFAL is available in EPEL
https://fedoraproject.org/wiki/EPEL
(FTS3 is also in EPEL testing)
Recommendations
===============
Updated 10th December 2014
Sites running FTS servers should update urgently if they have not already done so.
Other sites should install the fixed GFAL package as part of normal routine updates.
Other information
=================
Added 10th December 2014
We have had some requests for further information concerning the use of GFAL2 on nodes other than FTS servers.
We have discussed further with the software providers, the UKNGI security team, and the SVG found that:--
1) In the case of an FTS3 server, the vulnerability is serious as described above, and sites should update both
the FTS3 package (to at least 3.2.30-1) and the GFAL2 package (to at least 2.7.8-1) urgently.
2) For other node types with the GFAL2 clients installed (e.g. Worker Nodes and UIs), it is less
serious and requires quite a contrived situation to exploit. So we recommend installing the fixed
GFAL2 package as part of normal routine updates.
Finally, GFAL 2.8 is expected to be released in February, but we would still suggest that sites
install the fixed 2.7.8-1 release in the interim, rather than waiting.
Credit
======
These vulnerabilities were reported by Alejandro Alvarez Ayllon from the FTS3 product team at CERN.
Timeline
========
Yyyy-mm-dd
2014-11-18 Vulnerability reported by Alejandro Alvarez Ayllon from the product team
2014-11-18 Acknowledgement from the EGI SVG to the reporter
2014-11-20 Assessment by the EGI Software Vulnerability Group reported to the software providers
2014-12-04 Discussion on advisory and updates 2014-12-?? Updated packages available
2014-12-08 Advisory sent to sites.
2014-12-10 Updated advisory sent
2015-01-15 Public disclosure