SVG:Advisory-SVG-2015-10121
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2015-10121
Title: EGI SVG Advisory [TLP:White] 'Low' risk dCache WebDAV interface XXE vulnerability [EGI-SVG-2015-10121] Date: 2016-06-20 Updated: Affected Software and Risk ========================== LOW risk XXE vulnerability concerning dCache WebDAV interface Package : dCache Actions Required/Recommended ============================ Sites are recommended to update relevant components in due course. Affected software Details. ========================== dCache versions affected: 2.10.45 or earlier, 2.11.36 or earlier, 2.12.25 or earlier, 2.13.13 or earlier, 2.14.1 or earlier. dCache versions not affected: 2.10.46 or later, 2.11.37 or later, 2.12.26 or later, 2.13.14 or later, 2.14.2 or later, 2.15.0 or later More information ================ WebDAV is a protocol, based on HTTP, that makes use of XML as a machine-readable format. The XML External Entity (XXE) processing feature of XML make services that use it, like WebDAV, potentially vulnerable to attacks. An XXE problem was identified with the Milton library. dCache uses this library to process WebDAV requests. More information on the XML External Entity Vulnerability is available at [R 1] Details from the dCache team:-- We've been notified of a vulnerability in dCache WebDAV interface. Background: WebDAV is a protocol, based on HTTP, that makes use of XML as a machine-readable format. The XML External Entity (XXE) processing feature of XML make services that use it, like WebDAV, potentially vulnerable to attacks. The problem: An XXE problem was identified with the Milton library. dCache uses this library to process WebDAV requests. The following has been announced to the milton library users mailing list: Milton Security Vulnerability Notice A security vulnerability has been discovered in Milton and a fixed update is available. This email is being sent from milton.io to customers who have registered or previously submitted a contact request through the milton website. If you're not the technical contact please pass this message on as appropriate. Details of the security vulnerability The XML parser used in within the Milton framework allows general entities to be parsed, which allows remote files to be loaded. This means that XML requests such as PROPFIND and REPORT can include DOCTYPE delcarations which reference external entities and the parse will attempt to retrieve them. This was previously patched for external entities, but this new vulnerability has been discovered which affected general entities https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing http://www.brainbell.com/tutors/XML/XML_Book_B/External_Parsed_General_Entities.htm This leads to the following issues: Port scan XML DOCTYPE definitions and entities (external / parameter) may be abused to scan the internal network where the vulnerable application is located. An attacker may supply a protocol, an IP address followed by the port to scan. E.g.: http://10.11.12.13 [lookup IP][Add IP]:1204 While creating a DOM the vulnerable parser will resolve the given URL. Depending on the response times and behaviour of the application using Milton it might be guessed which ports on the specified host are open. This may as well be abused to determine, which ports aren’t blocked by the outgoing firewall. Server Side Request Forgery XML DOCTYPE definitions and entities (external / parameter) may be abused to trigger requests on other systems, which may not be directly reachable by the attacker but are reachable by the vulnerable application. This means that an adversary might attack internal systems where no access would have been possible without the SSRF vulnerability. XML External Entity Attacks XML External Entities allow the XML Parser to include external resources. These resources may reside on the local system or the network. Resolution Milton 2.7.0.3 [lookup IP][Add IP] has been release hardens the configuration of the parsers so they will not attempt to retrieve remote resources. You should apply this release to your affected systems as soon as possible. The next cycle of dCache releases will update the milton library to the recommended version. We can do this "silently" to allow us to prepare a reasonable advisory. Here is our assessment of the vulnerabilities: Both the port scan and the "XML External Entity (XXE)" attacks requires the server to "echo" part of the request in the response. The current mechanisms to achieve this is via user-controlled properties (i.e., arbitrary metadata), which dCache does not support. Unless some other mechanism is found, dCache is NOT vulnerable to port-scan or XXE attacks. The "Server Side Request Forgery" attack is possible, but the response will not be accessible to the attacker. This could be used to attempt a Denial-of-Service attack on services accessible from dCache WebDAV door or trigger some activity, but cannot be used to obtain protected information. Mitigation ========== N/A Component installation information ================================== The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). Sites using the EGI UMD 4 should see: http://repository.egi.eu/category/umd_releases/distribution/umd-4/ dCache version 2.13.28 is available in UMD-4.1.0 http://repository.egi.eu/2016/05/27/release-umd-4-1-0/ Sites using the EGI UMD 3 should see: http://repository.egi.eu/category/umd_releases/distribution/umd-3/ dCache version 2.10.56 is available in UMD-3.14.2 Sites who wish to install directly from the dCache site, which includes all patched versions should see: https://www.dcache.org/downloads/IAgree.shtml TLP and URL =========== ** WHITE information - Unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-10121 Minor updates may be made without re-distribution to the sites Credit ====== This vulnerability was reported by Paul Miller from dCache References ========== [R 1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look. Timeline ======== Yyyy-mm-dd [EGI-SVG-2015-10121] 2015-12-01 Vulnerability reported by Paul Miller 2015-12-01 Acknowledgement from the EGI SVG to the reporter 2015-12-10 EGI SVG Risk Assessment completed 2015-12-10 Assessment by the EGI Software Vulnerability Group reported to the software providers 2016-06-08 Updated packages available at dCache sites and in UMD 4 2016-06-16 Updated packages available in UMD 3 2016-06-20 Advisory/Alert sent to sites 2016-06-20 Public disclosure On behalf of the EGI SVG,