The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:Advisory-SVG-2016-11255"
Jump to navigation
Jump to search
| Line 3: | Line 3: | ||
<pre> | <pre> | ||
This | |||
Title: EGI SVG Advisory [TLP:AMBER] Up to 'HIGH' risk DIRAC configuration - | |||
database passwords visible on Dirac interface [EGI-SVG-2016-11255] | |||
Date: 2016-07-04 | |||
Updated: | |||
Affected software and risk | |||
========================== | |||
Up to 'HIGH' risk - Dirac database passwords visible on Dirac interface | |||
Package :DIRAC | |||
One site has been found where database passwords are visible on the dirac interface. | |||
How widespread this problem is is not known, and how serious the risk is rather depends on | |||
how each dirac site is configured and what users can access. | |||
Actions required/recommended | |||
============================ | |||
Sites running DIRAC should check using the Mitigation below whether their sites are vulnerable, | |||
and carry out the actions described below if they are. | |||
Affected software details | |||
========================= | |||
This problem was found for a site running v6r15 with WebApp v1r6p26 already installed. | |||
It's not clear whether any specific versions are free from this problem. | |||
Sites who have installed their software according to [R 1] which was updated 24th June 2016 | |||
should avoid this problem. | |||
Mitigation | |||
========== | |||
This was provided by the DIRAC team. | |||
Sites can check by: | |||
- load the Configuration Manager application from the LHCb WebApp Portal | |||
- hit "download" or "view as text" buttons | |||
- grep for "Password" | |||
- if you don't find any, be happy | |||
- if you do, and it contains your DB password, keep reading | |||
If affected sites should Fix by: | |||
- log into your server machine(s) | |||
- define in $DIRACROOT/etc/dirac.cfg the following: | |||
LocalInstallation { | |||
Database | |||
{ | |||
#User name used to connect the DB server | |||
User = thisIsAUser #this is by default "Dirac" | |||
#Password for database user acess. Must be set for SystemAdministrator Service to work | |||
Password = thisIsAPassword #the one used for mysql -uDirac -p | |||
#Password for root DB user. Must be set for SystemAdministrator Service to work | |||
RootUser = thisIsAAdminUser #either 'root' or 'admin' | |||
RootPwd = thisIsAAdminPassword | |||
} | |||
} | |||
- Restart the DIRAC components | |||
- Remove the entry "Password" from the Configuration Manager App | |||
More information | |||
================ | |||
Original report:-- | |||
---------------- | |||
We noticed that our test dirac instance running v6r15 with WebApp | |||
v1r6p26 displays a database password in the webinterface in plain text | |||
to any user that has access to this dirac instance. We currently don't | |||
see this problem on our v6r14 production dirac server which uses the | |||
'old' dirac interface and not the WebApp. | |||
A quick cross check with one of my LHCb colleagues confirms that they | |||
are able to see the database passwords on the LHCb dirac instance's | |||
webinterface without any elevated privileges, just as plain lhcb_user. | |||
----------------- | |||
Note that it is not clear how many sites are affected. | |||
It has been stated by the DIRAC team that sites who install following the instructions | |||
at [R 1] as updated on 24th June 2016 should avoid this problem. | |||
Further investigations are on-going by the DIRAC team, including whether any improvements | |||
are needed to the DIRAC WebApp code so this can't happen again. | |||
Component installation information | |||
================================== | |||
Documentation on DIRAC installation is available at [R 1] which were updated on 24th June to avoid this problem. | |||
See also [R 2] | |||
TLP and URL | |||
=========== | |||
** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-11255 | |||
Minor updates may be made without re-distribution to the sites | |||
Credit | |||
====== | |||
This vulnerability was reported by Daniela Bauer from Imperial College, London UK. | |||
References | |||
========== | |||
[R 1] http://dirac.readthedocs.io/en/latest/AdministratorGuide/InstallingDIRACService/index.html | |||
[R 2] https://github.com/DIRACGrid/DIRAC/wiki | |||
Comments | |||
======== | |||
Comments or questions should be sent to svg-rat at mailman.egi.eu | |||
If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to | |||
report-vulnerability at egi.eu | |||
the EGI Software Vulnerability Group will take a look. | |||
Timeline | |||
======== | |||
Yyyy-mm-dd [EGI-SVG-2016-11255] | |||
2016-06-16 Vulnerability reported by Daniela Bauer | |||
2016-06-17 Acknowledgement from the EGI SVG to the reporter | |||
2016-06-21 Software providers responded and involved in investigation | |||
2016-06--- Investigation of vulnerability carried out | |||
2016-06-24 DIRAC updated documentation such that sites following new documentation should | |||
not be vulnerable. | |||
2016-06-28 Instructions received for other sites to check if they are vulnerable | |||
2016-06-29 Risk unclear. | |||
2016-07-04 Advisory/Alert sent to sites suggesting checking their installations | |||
2016-07-18 Public disclosure | |||
On behalf of the EGI SVG, | |||
</pre> | </pre> | ||
Revision as of 16:28, 18 July 2016
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2016-11255
Title: EGI SVG Advisory [TLP:AMBER] Up to 'HIGH' risk DIRAC configuration -
database passwords visible on Dirac interface [EGI-SVG-2016-11255]
Date: 2016-07-04
Updated:
Affected software and risk
==========================
Up to 'HIGH' risk - Dirac database passwords visible on Dirac interface
Package :DIRAC
One site has been found where database passwords are visible on the dirac interface.
How widespread this problem is is not known, and how serious the risk is rather depends on
how each dirac site is configured and what users can access.
Actions required/recommended
============================
Sites running DIRAC should check using the Mitigation below whether their sites are vulnerable,
and carry out the actions described below if they are.
Affected software details
=========================
This problem was found for a site running v6r15 with WebApp v1r6p26 already installed.
It's not clear whether any specific versions are free from this problem.
Sites who have installed their software according to [R 1] which was updated 24th June 2016
should avoid this problem.
Mitigation
==========
This was provided by the DIRAC team.
Sites can check by:
- load the Configuration Manager application from the LHCb WebApp Portal
- hit "download" or "view as text" buttons
- grep for "Password"
- if you don't find any, be happy
- if you do, and it contains your DB password, keep reading
If affected sites should Fix by:
- log into your server machine(s)
- define in $DIRACROOT/etc/dirac.cfg the following:
LocalInstallation {
Database
{
#User name used to connect the DB server
User = thisIsAUser #this is by default "Dirac"
#Password for database user acess. Must be set for SystemAdministrator Service to work
Password = thisIsAPassword #the one used for mysql -uDirac -p
#Password for root DB user. Must be set for SystemAdministrator Service to work
RootUser = thisIsAAdminUser #either 'root' or 'admin'
RootPwd = thisIsAAdminPassword
}
}
- Restart the DIRAC components
- Remove the entry "Password" from the Configuration Manager App
More information
================
Original report:--
----------------
We noticed that our test dirac instance running v6r15 with WebApp
v1r6p26 displays a database password in the webinterface in plain text
to any user that has access to this dirac instance. We currently don't
see this problem on our v6r14 production dirac server which uses the
'old' dirac interface and not the WebApp.
A quick cross check with one of my LHCb colleagues confirms that they
are able to see the database passwords on the LHCb dirac instance's
webinterface without any elevated privileges, just as plain lhcb_user.
-----------------
Note that it is not clear how many sites are affected.
It has been stated by the DIRAC team that sites who install following the instructions
at [R 1] as updated on 24th June 2016 should avoid this problem.
Further investigations are on-going by the DIRAC team, including whether any improvements
are needed to the DIRAC WebApp code so this can't happen again.
Component installation information
==================================
Documentation on DIRAC installation is available at [R 1] which were updated on 24th June to avoid this problem.
See also [R 2]
TLP and URL
===========
** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-11255
Minor updates may be made without re-distribution to the sites
Credit
======
This vulnerability was reported by Daniela Bauer from Imperial College, London UK.
References
==========
[R 1] http://dirac.readthedocs.io/en/latest/AdministratorGuide/InstallingDIRACService/index.html
[R 2] https://github.com/DIRACGrid/DIRAC/wiki
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look.
Timeline
========
Yyyy-mm-dd [EGI-SVG-2016-11255]
2016-06-16 Vulnerability reported by Daniela Bauer
2016-06-17 Acknowledgement from the EGI SVG to the reporter
2016-06-21 Software providers responded and involved in investigation
2016-06--- Investigation of vulnerability carried out
2016-06-24 DIRAC updated documentation such that sites following new documentation should
not be vulnerable.
2016-06-28 Instructions received for other sites to check if they are vulnerable
2016-06-29 Risk unclear.
2016-07-04 Advisory/Alert sent to sites suggesting checking their installations
2016-07-18 Public disclosure
On behalf of the EGI SVG,