https://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2015-7980&feed=atom&action=historySVG:Advisory-SVG-2015-7980 - Revision history2024-03-29T09:08:27ZRevision history for this page on the wikiMediaWiki 1.37.1https://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2015-7980&diff=109285&oldid=previmported>Cornwall: Created page with "{{svg-header}} <pre> ** White information - unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restriction..."2015-01-14T13:43:47Z<p>Created page with "{{svg-header}} <pre> ** White information - unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restriction..."</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<tr class="diff-title" lang="en">
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 14:43, 14 January 2015</td>
</tr><tr><td colspan="2" class="diff-notice" lang="en"><div class="mw-diff-empty">(No difference)</div>
</td></tr></table>imported>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2015-7980&diff=75520&oldid=prevCornwall: Created page with "{{svg-header}} <pre> ** White information - unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restriction..."2015-01-14T13:43:47Z<p>Created page with "{{svg-header}} <pre> ** White information - unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restriction..."</p>
<p><b>New page</b></p><div>{{svg-header}}<br />
<br />
<pre><br />
** White information - unlimited distribution ** <br />
<br />
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **<br />
<br />
EGI SVG ADVISORY [EGI-SVG-2015-7980] <br />
<br />
Title: EGI SVG Advisory "Moderate" risk - DPM Wiki instructs insecure configuration <br />
if configured 'memcached' [SVG EGI-SVG-2015-7980]<br />
<br />
Date: 2015-01-14 <br />
Updated: <br />
<br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-7980<br />
<br />
Introduction<br />
============<br />
<br />
Some instructions on the Wiki for DPM configuration instructed sites to configure insecurely <br />
if the DMLite memcache plugin is used. [R 1]<br />
<br />
At least one site has been found to have this insecure configuration. Therefore this advisory <br />
is to instruct sites who use DPM and configure 'memcached' to check their configuration and modify <br />
if necessary. <br />
<br />
These instructions have since been fixed. <br />
<br />
Details<br />
=======<br />
<br />
On the DPM wiki there are instructions to configue the DPM cluster using the DMLite memcache plugin. [R 1]<br />
<br />
If the instructions in the section entitled 'The memcached daemon' were followed the memcached is <br />
accessible from the whole world. For many sites firewalling may prevent the exploitation of this <br />
vulnerability, although that was not the case for at least 1 site.<br />
<br />
It is not clear how many sites in the EGI infrastructure are vulnerable, but since any that followed <br />
the wiki instructions are vulnerable we must assume that it is not an isolated problem. <br />
<br />
In this case the information which may be obtained is not considered particularly sensitive, <br />
hence the risk category. <br />
<br />
<br />
Risk category<br />
=============<br />
<br />
This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team for sites configured <br />
insecurely <br />
<br />
Affected software<br />
=================<br />
<br />
DPM <br />
<br />
This was a problem with the configuration instructions NOT a problem with the software itself. <br />
<br />
<br />
Mitigation<br />
==========<br />
<br />
The instructions should state:-- <br />
<br />
[root@lxfsra04a04 log]# cat /etc/sysconfig/memcached PORT="11211"<br />
USER="memcached"<br />
MAXCONN="8192"<br />
CACHESIZE="2048"<br />
OPTIONS="-l 127.0.0.1 -U 11211 -t 4"<br />
<br />
- it's the OPTIONS that was previously incorrect. <br />
<br />
Recommendations<br />
===============<br />
<br />
Sites who use DPM should check and modify their configuration if necessary as soon as possible. <br />
<br />
<br />
Credit<br />
======<br />
<br />
This vulnerability was reported by David Groep from Nikhef. <br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm/Admin/TuningHints<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd<br />
<br />
2015-01-09 Vulnerability reported by David Groep from Nikhef <br />
2015-01-12 Acknowledgement from the EGI SVG to the reporter<br />
2015-01-12 Advisory drafted.<br />
2015-01-13 Risk assessment agreed <br />
2015-01-13 Wiki fixed<br />
2015-01-14 Advisory sent to sites<br />
2015-01-14 Public disclosure<br />
<br />
<br />
</pre></div>Cornwall