Grid Security Vulnerability Group - Advisory -- Topic: Vulnerabilities found in gLexec by the University of Wisconsin Vulnerability assessment project - formerly Root exploit vulnerabilities in older versions of glexec + some more minor vulnerabilities. -- Date: 2009-06-03 , updated 2009-09-30, updated 2010-03-26 -- ID: Grid Vulnerability Savannah bug #51107 -- Background Glexec is a middleware component used in the verification and authorization of grid credentials on whose behalf associated jobs or tasks should be run. Glexec normally is deployed in setuid-root mode, so that it can map a given credential (proxy) to an appropriate local account. Glexec is used by the CREAM Computing Element to submit jobs to the batch system with the correct local identities. On a Worker Node glexec may be available to configured sets of local accounts that should correspond to privileged members of VOs that employ multi-user pilot job frameworks. Such a pilot job should download a task from a central task queue, along with a valid proxy for the user who submitted the task: glexec then is used to let the task be run under a different local account corresponding to the given proxy. Glexec may also refuse a proxy, e.g. when the user concerned is banned. -- Vulnerability Details From 2009-06-08 The University of Wisconsin Vulnerability Assessment project has reviewed glexec and found 2 vulnerabilities (GLEXEC-2009-0002 and GLEXEC-2009-0004) which allow authorized users to gain root access. These vulnerabilities are present in glexec versions 0.5.35 or earlier. Later versions are not affected. Added 2009-09-30 Information on the vulnerability assessment has now been made public - this includes 3 other vulnerabilities (GLEXEC-2009-0001, GLEXEC-2009-0003 and GLEXEC-2009-0005) In the current version available in gLite GLEXEC-2009-0003 does not apply, as is the case with GLEXEC-2009-0002 and GLEXEC-2009-0004. GLEXEC-2009-0001 allows possible disruption to log files. GLEXEC-2009-0005 can allow root access, but not if glexec is configured correctly. -- Grid Security Vulnerability Group Response From 2009-06-08 (Applied to GLEXEC-2009-0002 and GLEXEC-2009-0004) The Grid Security Vulnerability Group considers these issues to be 'Extremely Critical' in the worst case. The issues are mitigated when the glexec "whitelist" is restricted to local accounts that only few, privileged members of VOs with pilot job frameworks can be mapped to. The Grid Security Vulnerability Group recommends that all sites with glexec version 0.5.35 or earlier on their Worker Nodes upgrade glexec to version 0.5.36 or later urgently. Added 2009-09-30 GLEXEC-2009-0001 is considered 'Low' Risk, and GLEXEC-2009-0005 is considered at most 'Moderate' due to the fact it is unlikely to be possible to exploit it. We recommend that sites check their configuration, and continue to ensure that the glexec "whitelist" is restricted to local accounts that only a few privileged members of VOs with pilot job frameworks can be mapped to. -- Releases (From 2009-06-08) Sites may wish to upgrade just to version 0.5.36 in the short term, as this is the most conservative route. Version 0.5.41 is the latest version compatible with the current OSG infrastructure. Later glexec versions depend on later versions of the LCAS and LCMAPS components invoked by glexec. ---- Component and Installation information for gLite 3.2 Installation instructions for gLite 3.2 are available at: http://glite.org/glite/packages/R3.2/updates.asp http://glite.web.cern.ch/glite/packages/R3.2/x86_64/updates.asp -- gLite 3.2 release number gLite 3.2 update 10 -- Precautionary measures or checks It is recommended that sites additionally restrict their glexec whitelists to include only accounts to which privileged members of VOs with pilot job frameworks can be mapped. -- Other information From 2009-06-08 These vulnerabilities are present in version 0.5.35, but not in version 0.5.36 or later. The latest version that is compatible with the current OSG infrastructure is version 0.5.41. When glexec is used in association with CREAM in the EGEE environment, the current default configuration is such that users (including members of VOs who are allowed to submit pilot jobs) cannot exploit this vulnerability. Added 2009-09-30 It is expected that the 2 remaining problems will be fixed in the coming weeks. Added 2010-03-26 gLexe version gLExec 0.7.0-1 has all the remaining problems fixed. -- Credit This vulnerabilities were initially reported by James Kupsch at the University of Wisconsin. -- Disclosure Timeline Yyyy-mm-dd 2009-05-29 Vulnerability reported by James Kupsch 2009-06-03 Initial response from the Grid Security Vulnerability Group 2009-06-08 Advisory drafted to appropriate OSG sites and OSCT advising sites affected to update urgently. 2009-09-30 Updated to inform sites of more minor vulnerabilities which were found as part of this assessment and have been made public 2010-03-26 Updated as version ready for rollout with all remaining issues addressed. 2010-04-15 Public disclosure as all issues fixed by glite 3.2 update 10 -- References glexec wiki is at: https://twiki.cern.ch/twiki/bin/view/EGEE/GLExec Full reports on the vulnerabilities are at http://www.cs.wisc.edu/mist/glexec/vuln_reports/ ==========================================================================