                   Grid Software Vulnerability Group Security Advisory

-- Topic:          LCAS/LCMAPS vulnerability affecting Condor CE
-- Date:           2008-04-22, updated 2008-12-01, further update 2009-10-12
                   further updated 2010-03-03
-- ID:             Grid Vulnerability Savannah bug #35858, also #54623

-- Background

LCAS (Local Centre Authorization Service) and LCMAPS (Local Credential
Mapping Service) are libraries used by various gLite services,
in particular the lcg-CE and glite-CREAM, to implement policies for
client authorization and mapping onto UNIX accounts.


-- Affected software

gLite 3.1 lcg-CE, glite-CREAM and glite-WN instances on which Condor
is or was (!) used as batch system.


-- Vulnerability Details

The LCAS and LCMAPS libraries contain RPATH directives referring to the
area where the libraries have been built.  The build system is based on
a standard Condor installation and a basic build procedure is a Condor
job.  Therefore the path to a build area turns out to look like this:

    /home/condor/execute/dir_29275/userdir/.....

A standard Condor installation will have /home/condor/execute world-
writable, allowing a malicious user to create the exact path that was
used to build an LCAS or LCMAPS library, to install a rogue library to
replace an LCAS or LCMAPS plugin used by the gatekeeper, gridftpd or
glite-CREAM services.

================================================================
==========    FURTHER INFORMATION ADDED 2009-10-12    ==========
================================================================

The vulnerability has affected most of the gLite rpms built by the ETICS
build system, as well as rpms obtained from the VDT project (e.g. Globus).

This means that also the glite-WN may be affected when Condor is (or was)
used as the batch system: if a world-writable /home/condor/execute
directory is present, one malicious job could create a Trojan horse
for another job to execute later.

If such a glite-WN also has the glite-GLEXEC_wn package installed and
the "glexec" executable has been configured setuid root, a malicious
job could obtain root privileges on that WN.


-- Grid Security Vulnerability Group Response


From 2008-12-01

The Grid Security Vulnerability Group considers this issue to be 'High' risk
and recommends that all sites upgrade the relevant components.

Note that soon after the problem was discovered, only 1 site within EGEE was
found to  have the configuration which allows this issue to be exploited.
This site was informed of the problem and an operational work around.
In case other sites now affected, we recommend upgrading.

================================================================
==========    FURTHER INFORMATION ADDED 2009-10-12    ==========
================================================================

This vulnerability has been re-introduced, entered as issue 54623.
A patch for all potentially affected node types is not yet available.


================================================================
==========    FURTHER INFORMATION ADDED 2010-03-03    ==========
================================================================

The problem has been resolved in that all currently released software has
been re-built since the ETICS was fixed.

-- Component and Installation information.

Information on affected software, components and installation instructions
are available with the release notes at:

http://glite.org/glite/packages/R3.1/updates.asp

-- Release

gLite 3.1 and 3.2

Note that no patch is available at present

-- Precautionary measures or checks

The Grid Security Vulnerability Group has observed that on lcg-CE
instances running a standard Condor installation the world-writable
/home/condor/execute directory actually is not used by the system,
and therefore strongly recommends the following measure to be taken
on such lcg-CE instances:

    chmod o-rwx /home/condor/execute

================================================================
==========    FURTHER INFORMATION ADDED 2009-10-12    ==========
================================================================

The current software version has this problem re-introduced
on a wider scale, and patches are not yet available.
Therefore this chmod command should be carried out on nodes where
a world-writable /home/condor/execute is present.

Note that Condor 7.0.2 or later no longer requires the "execute"
directory to be world-writable.
Condor can also be told to use a different $(EXECUTE) directory.


-- Other information

================================================================
==========    FURTHER INFORMATION ADDED 2009-10-12    ==========
================================================================

The problem is reported as having been re-introduced by the ETICS system
no longer stripping RPATHs.

It has not proved possible to produce re-builds and certify them in time
for the target date, therefore we decided to inform OSCT so that any
vulnerable sites may take operational action.

Only a very small number of sites are potentially vulnerable,
as there are very few sites that currently use or did use Condor
as batch system.  Some of the sites installed Condor in a different
location or already prevented access to /home/condor/execute.

One lcg-CE was found to be vulnerable: Condor is present, but not
currently advertised as its batch system.  One other site was found
to have a vulnerable WN.

================================================================
==========    FURTHER INFORMATION ADDED 2010-03-03    ==========
================================================================

All software in current release has since been re-built, therefore the problem does
not exist in the current version.

-- Credit
This vulnerability was initially reported by Gergely Debreczeni


-- Disclosure Timeline

2008-04-18 Vulnerability reported by Gergely Debreczeni
2008-04-21 Risk assessed as high
2008-04-21 Advisory drafted
2008-04-26 Only one EGEE site found to be affected - this site informed of
           work-around.
2008-11-14 Patch released
2008-11-30 Found that this had been released, however advisory not referred to.
2008-12-01 Advisory updated and released
2009-08-20 Problem found to be re-introduced in deployed version -
           savannah issue 54623
2009-10-12 Advisory updated for the benefit of OSCT to ensure any sites
           vulnerable can take appropriate action.
2010-03-03 Advisory updated as all software has been re-built since the RPATH 
           problem was re-introduced


==========================================================================