Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

SVG:Advisory-SVG-2012-4600

From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2012-4600



** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **


EGI SVG   ADVISORY [EGI-SVG-2012-4600] 

Title:       EGI SVG Advisory 'High' Risk - EMI-2 dcache-srmclient contains world writable files

Date:        2012-11-14
Updated:     2012-11-21 


Introduction
============

A problem has been found with the EMI-2 dcache-srmclient, it contains world
writable executable files.

This allows a malicious user to inject arbitrary code which may be executed by 
another user calling these libraries, with the privileges of the user calling these libraries. 

This problem has been fixed and sites are recommended to update relevant 
components as soon as possible. 



Details
=======

A problem has been found with the EMI-2 dcache-srmclient, it contains world
writable executable files.  This allows a malicious user to inject arbitrary 
code which may be executed by another user calling these libraries, with the 
privileges of the user calling these libraries. 

As far as we can ascertain, it is not possible to inject code which may get
executed as root, and the vulnerability is only exploitable by an authorized 
user. 

The User Interface (UI) and the Worker Nodes (WN) running EMI 2 or UMD 2 software 
contain this vulnerability. 

Sites are recommended to update relevant components as soon as possible.



Risk category
=============

This issue has been assessed as 'High'  risk by the EGI SVG Risk Assessment 
Team. 

Affected software
=================

 dcache-srmclient-2.1.1-1 is the affected piece of software. 

 Both the sl5 and sl6 versions in both EMI 2 and UMD 2 are affected.


 The issue is fixed in version 
dcache-srmclient-2.2.4-2.el5.x86_64.rpm


Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).

Sites using the EGI UMD should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-2/

Update UMD-2.2.2



Sites installing directly from EMI should see:

http://www.eu-emi.eu/emi-2-matterhorn/updates/

(update 5)



Recommendations
===============

Sites who have installed EMI 2 or UMD 2 version of the dcache client are 
recommended to immediately update their software. 
 

Other information
=================

Unfortunately, this problem was found after sites were asked to migrate 
to this software. Hence it has been fixed as an emergency release. 

The advisory made public at 
https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2012-4600
after sites have had been given 1 week to update (by agreement with CSIRT) 

 
Credit
======

This vulnerability was reported by John Green. 


Timeline  
========
Yyyy-mm-dd

2012-11-07 Vulnerability reported by John Green.  
2012-11-07 Acknowledgement from the EGI SVG to the reporter
2012-11-07 Software providers responded and involved in investigation
2012-11-12 Assessment by the EGI Software Vulnerability Group reported to the software providers
2012-11-14 Updated packages available in the EGI UMD and EMI distribution
2012-11-21 Public disclosure