=========================================================================== Grid Software Vulnerability Group Security Advisory -- Topic: Possible untraceable dCache data access/destruction -- Date: updated 2009-06-11, further update 2010-07-21 -- Background dCache is one of the Mass Storage Systems commonly used in EGEE production environments [1]. -- Affected Software gLite 3.1.0 -- Affected Components dCache 1.7.x, 1.8.x Previous versions of the above packages are also affected. -- Vulnerability Details There is a vulnerablity within dCache internal communication which might lead to data corruption, destruction or theft. -- Grid Security Vulnerability Group Response The Grid Security Vulnerability Group originally considered this to be a 'high' risk issue and set a Target Date for resolution that has since passed. OSCT were informed of this issue in January 2007, along with recommendations for how to avoid this being exploitable. A release was made in March 2007, but on closer examination this release does not solve the problem, it only mitigates the problem. This problem is will be fully solved in a later version by migration to using Chimera to handle the namespace information in dcache and the use of NFS4.1. At present, a version of dcache is available which uses Chimera and NFS3.0, but this does not fully resolve the NFS problem but is a more secure version than previous versions. Therefore, the Grid Security Vulnerability Group recommends that sites migrate to the newer version chimera to handle the namespace information if they have not done so already. This is also good preparation for the final version using NFS4.1 which is fully secure. This is not a matter of simply installing a patch, but following a procedure which is available at reference [2]. -- Installation Notes See references. Updated 2010-07-21 The updated version of dcache is now available as part of gLite 3.2 update 15 see http://glite.web.cern.ch/glite/packages/R3.2/sl5_x86_64/updates.asp -- Precautionary measures or checks It is strongly recommended that sites run NFS outside their dcache cluster, and do not allow access to NFS. It is recommended that sites do not mount PNFS or chimera on the worker node, but if they do then using chimera reduces the problems considerably. PNFS used predictable sequential inode numbers, chimera does not use predictable sequential inode numbers. Comment added 2010-07-21 This situation has not changed - the only change is that an updated version is available from gLite. This was the mitigating action recommended previously: As a precautionary measure, sites are advised to upgrade to dCache-1.7.0 or above, and set the following firewall rules: - on the dCache server nodes block traffic to UDP port 2049, except if originating from a port < 1024 on localhost or one of the dCache server nodes themselves Now, sites should migrate to Chimera if they have not done so already. -- Other information We are aware that most sysadmins know about this issue anyway, and have configured their firewalls appropriately. It should not be possible to exploit this issue, provided dcache is deployed in the correct manner. -- Credit This vulnerability was initially reported by Stephen Burke -- Disclosure Timeline Yyyy-mm-dd 2006-03-17 Vulnerability reported by Stephen Burke 2006-10-02 Grid Security Vulnerability Group investigation following the EGEE-II process. 2006-12-07 Advisory produced by GSVG 2006-12-21 dCache team (Patrick Fuhrmann) and Ian Bird suggest advisory in absense of full resolution. 2007-01-18 Advisory to OSCT drafted 2007-03-14 dCache 1.7 in production 2007-06-21 Updated advisory to OSCT drafted, as the the problem is only mitigated in dCache 1.7 2007-07-03 Revised Updated advisory sent to OSCT 2009-05-12 Advisory updated to recommend migrating to Chimera to handle namespace information for dcache. 2009-06-18 Revised advisory sent to OSCT 2010-07-21 Updated advisory to state that a more secure version is available from within gLite. 2010-07-21 Public disclosure -- References [1] dCache home page: http://www.dcache.org/index.shtml [2] Migration to chimera: http://trac.dcache.org/projects/dcache/wiki/pnfsDump2MigratePnfs2Chimera ==========================================================================