SVG:Advisory-SVG-2016-11476
Jump to navigation
Jump to search
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2016-11476
Title: EGI SVG Advisory 'CRITICAL' risk - gridsite impersonation vulnerability [EGI-SVG-2016-11476] Date: 2016-09-21 Updated: 2016-10-10 - changed to 'white' Affected software and risk ========================== CRITICAL risk vulnerability concerning gridsite /canl-c Package : canl-c CVE ID : N/A A vulnerability has been found in the canl-c library which is used by gridsite where it is possible for a user with any certificate, including a self-created one, to impersonate any other user. This is present in all recent versions of gridsite up to version 2.2.5, and all versions of canl-c up to and including 2.1.6. Actions required/recommended ============================ Sites running gridsite/canl-c are required to urgently install updates. Please ensure all potentially affected services are restarted after the update. In particular for the DPM, FTS, and LFC: service httpd restart All running resources MUST be patched or software removed by 2016-09-29 00:00 UTC Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. Affected software details ========================= This is fixed in caNl-c version 2.1.7-1. Earlier versions are all likely to be affected. Affected software dependent on this include:-- anything which depends on Gridsite DPM LFC FTS - but only in limited circumstances. WMS - ditto Also the CREAM CE uses GridSite, but it turns out not to be affected. More information ================ The reporter recently discovered a security vulnerability in gridsite, through which it is possible to impersonate any user with the help of a specially-crafted proxy. The error was found to be in the caNl-c software, on which gridsite depends. This vulnerability is exploitable in cases where authorization is dependent on DN only, using caNl-C, and the attacker has created a specially crafted certificate. The services most affected are DPM and LFC. For these services an attacker can impersonate any user of any VO supported by that service, though only with an unprivileged role. Privileged roles generally require authorization via VOMS. For The DPM and LFC this would give read and/or write access according to the ACLs for the files and directories of the chosen VO. For example, the impersonated user could have access to a group-writable area and delete or modify data of other users. FTS is also affected in a less extensive manner. Mitigation ========== N/A Component installation information ================================== The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). Sites using the EGI UMD 4 should see: http://repository.egi.eu/category/umd_releases/distribution/umd-4/ Further information including links to detailed release notes are available from https://wiki.egi.eu/wiki/UMD-4:UMD-4.2.1 Sites using the EGI UMD 3 should see: http://repository.egi.eu/category/umd_releases/distribution/umd-3/ Further information including links to detailed release notes are available from https://wiki.egi.eu/wiki/UMD-3:UMD-3.14.4 Sites who wish to install directly from the github site should see: https://github.com/CESNET/canl-c/wiki/caNl-c-Release-Page#caNlc_2171 TLP and URL =========== ** WHITE information -Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-11476 Minor updates may be made without re-distribution to the sites Credit ====== This vulnerability was discovered and reported by Georgios Bitzes from CERN. Extensive testing and work to resolve this issue carried out by Daniel Kouril, Maarten Litmaath, Georgios Bitzes, Andrea Ceccanti and others. References ========== Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look. Timeline ======== Yyyy-mm-dd [EGI-SVG-2016-11476] 2016-08-17 Vulnerability reported by Georgios Bitzes from CERN 2016-08-17 Acknowledgement from the EGI SVG to the reporter 2016-08-17 Software providers responded and involved in investigation/resolution 2016-08-22 EGI SVG Risk Assessment completed 2016-08-22 Assessment by the EGI Software Vulnerability Group reported to the software providers 2016-08-22 Software fix produced and tested 2016------ Some issues with verification/release 2016-09-21 Updated packages available in the EGI UMD 2016-09-21 Advisory/Alert sent to sites 2016-10-10 Public disclosure On behalf of the EGI SVG,