Difference between revisions of "SVG:Advisory-SVG-2015-7980"
Jump to navigation
Jump to search
(Created page with "{{svg-header}} <pre> ** White information - unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restriction...") |
(No difference)
|
Latest revision as of 15:43, 14 January 2015
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2015-7980
** White information - unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2015-7980] Title: EGI SVG Advisory "Moderate" risk - DPM Wiki instructs insecure configuration if configured 'memcached' [SVG EGI-SVG-2015-7980] Date: 2015-01-14 Updated: URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-7980 Introduction ============ Some instructions on the Wiki for DPM configuration instructed sites to configure insecurely if the DMLite memcache plugin is used. [R 1] At least one site has been found to have this insecure configuration. Therefore this advisory is to instruct sites who use DPM and configure 'memcached' to check their configuration and modify if necessary. These instructions have since been fixed. Details ======= On the DPM wiki there are instructions to configue the DPM cluster using the DMLite memcache plugin. [R 1] If the instructions in the section entitled 'The memcached daemon' were followed the memcached is accessible from the whole world. For many sites firewalling may prevent the exploitation of this vulnerability, although that was not the case for at least 1 site. It is not clear how many sites in the EGI infrastructure are vulnerable, but since any that followed the wiki instructions are vulnerable we must assume that it is not an isolated problem. In this case the information which may be obtained is not considered particularly sensitive, hence the risk category. Risk category ============= This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team for sites configured insecurely Affected software ================= DPM This was a problem with the configuration instructions NOT a problem with the software itself. Mitigation ========== The instructions should state:-- [root@lxfsra04a04 log]# cat /etc/sysconfig/memcached PORT="11211" USER="memcached" MAXCONN="8192" CACHESIZE="2048" OPTIONS="-l 127.0.0.1 -U 11211 -t 4" - it's the OPTIONS that was previously incorrect. Recommendations =============== Sites who use DPM should check and modify their configuration if necessary as soon as possible. Credit ====== This vulnerability was reported by David Groep from Nikhef. References ========== [R 1] https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm/Admin/TuningHints Timeline ======== Yyyy-mm-dd 2015-01-09 Vulnerability reported by David Groep from Nikhef 2015-01-12 Acknowledgement from the EGI SVG to the reporter 2015-01-12 Advisory drafted. 2015-01-13 Risk assessment agreed 2015-01-13 Wiki fixed 2015-01-14 Advisory sent to sites 2015-01-14 Public disclosure