SVG:Advisory-SVG-2014-7749

From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2014-7749


** WHITE information - Unlimited distribution                               **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI SVG ADVISORY [EGI-SVG-2014-7749] 

Title:       EGI SVG Advisory 'High' risk  - Unicore command injection vulnerability 

 [EGI-SVG-2014-7749]

Date:         2015-02-25 
Updated:     

This advisory will be placed on the wiki on or after 2015-03-11

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2014-7749

Introduction
============

The UNICORE TSI service [R 1] was found to be vulnerable to a command injection attack by an 
authenticated user. A further vulnerability was found in UNICORE/X

This is most serious in the deployment scenario where UNICORE/X and TSI are on same host as it 
means that an authenticated user could gain control over the TSI and have access to all user data. 

This vulnerability has been fixed in the version of UNICORE available in EGI UMD 3. 


Details
=======

UNICORE TSI service [R 1] is prone to OS command injection attack. An attacker can use a 
UNICORE client (URC or UCC) to inject arbitrary commands into the UNICORE TSI host. 
In some configurations (for example, as used in NGI_PL) user logins into the TSI host and 
user command execution on the TSI host are not allowed, so this scenario should be 
considered a privilege escalation.

In case that the TSI is operating on the same host as UNICORE/X, this attack can be further escalated. 
Since UNICORE/X uses an unprivileged listen port for the communication with the TSI, an attacker with 
access to shell account can wait until UNICORE/X will be restarted to bind to this port and pretending 
being UNICORE/X he/she can submit job to target system with arbitrary user identity. 
The attacker has also a very direct option to shut down UNICORE/X: using the Linux kernel OOM Killer [R 2]. 

There are two vulnerabilities then: in UNICORE/TSI(1) and UNICORE/X(2) that can together lead to serious 
privilege escalation.

Risk category
=============

This issue has been assessed as 'High' risk by the EGI SVG Risk Assessment Team.  


Affected software
=================

UNICORE/X UNICORE TSI prior to 7.2.0 

This is fixed in version 7.2.0.  Earlier versions are likely to be vulnerable.

Mitigation
==========

Mitigation is possible, however it is easier and simpler to update relevant 

components. 


Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu 
which contains the EGI Unified Middleware Distribution (UMD).
 
Sites using the EGI UMD 3 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-3/

Updated versions of UNICORE/X and UNICORE TSI are available in the UMD 3.11.0  
http://repository.egi.eu/2015/02/16/release-umd-3-11-0/


Sites who wish to install directly from the EMI release should see: 

http://www.eu-emi.eu/releases/emi-3-monte-bianco/updates/


Recommendations
===============

Sites are recommended to update relevant components, urgently if they run UNICORE/X and TSI on same host. 


Credit
======

This vulnerability was reported by Bartlomiej Balcerek  


References
==========

[R 1] https://www.unicore.eu/documentation/manuals/unicore6/files/tsi/tsi-manual.pdf
[R 2] https://www.kernel.org/doc/gorman/html/understand/understand016.html

Timeline
========
Yyyy-mm-dd

2014-12-04 Vulnerability reported by Bartlomiej Balcerek
2014-12-04 Acknowledgement from the EGI SVG to the reporter
2014-12-04 Software providers responded and involved in investigation
2014-12-10 Assessment by the EGI Software Vulnerability Group reported to the software providers
2015-02-16 Updated packages available in the EGI UMD. 
2015-02-25 Advisory sent to sites
2015-03-31 Public disclosure