The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
SVG:Advisory-SVG-2015-7980
Revision as of 15:43, 14 January 2015 by imported>Cornwall (Created page with "{{svg-header}} <pre> ** White information - unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restriction...")
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2015-7980
** White information - unlimited distribution **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
EGI SVG ADVISORY [EGI-SVG-2015-7980]
Title: EGI SVG Advisory "Moderate" risk - DPM Wiki instructs insecure configuration
if configured 'memcached' [SVG EGI-SVG-2015-7980]
Date: 2015-01-14
Updated:
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-7980
Introduction
============
Some instructions on the Wiki for DPM configuration instructed sites to configure insecurely
if the DMLite memcache plugin is used. [R 1]
At least one site has been found to have this insecure configuration. Therefore this advisory
is to instruct sites who use DPM and configure 'memcached' to check their configuration and modify
if necessary.
These instructions have since been fixed.
Details
=======
On the DPM wiki there are instructions to configue the DPM cluster using the DMLite memcache plugin. [R 1]
If the instructions in the section entitled 'The memcached daemon' were followed the memcached is
accessible from the whole world. For many sites firewalling may prevent the exploitation of this
vulnerability, although that was not the case for at least 1 site.
It is not clear how many sites in the EGI infrastructure are vulnerable, but since any that followed
the wiki instructions are vulnerable we must assume that it is not an isolated problem.
In this case the information which may be obtained is not considered particularly sensitive,
hence the risk category.
Risk category
=============
This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team for sites configured
insecurely
Affected software
=================
DPM
This was a problem with the configuration instructions NOT a problem with the software itself.
Mitigation
==========
The instructions should state:--
[root@lxfsra04a04 log]# cat /etc/sysconfig/memcached PORT="11211"
USER="memcached"
MAXCONN="8192"
CACHESIZE="2048"
OPTIONS="-l 127.0.0.1 -U 11211 -t 4"
- it's the OPTIONS that was previously incorrect.
Recommendations
===============
Sites who use DPM should check and modify their configuration if necessary as soon as possible.
Credit
======
This vulnerability was reported by David Groep from Nikhef.
References
==========
[R 1] https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm/Admin/TuningHints
Timeline
========
Yyyy-mm-dd
2015-01-09 Vulnerability reported by David Groep from Nikhef
2015-01-12 Acknowledgement from the EGI SVG to the reporter
2015-01-12 Advisory drafted.
2015-01-13 Risk assessment agreed
2015-01-13 Wiki fixed
2015-01-14 Advisory sent to sites
2015-01-14 Public disclosure