Grid Security Vulnerability Group - Advisory

-- Topic:          Argus banning by CA does not work.
-- Date:           2010-02-18
-- ID:	           Grid Vulnerability Savannah bug #55971

-- Background

The Argus is the Authorization System developed to provide consistent authorization decisions for
 distributed services in the Grid Environemnt.  (See reference below)


-- Vulnerability Details

Banning members of certain Certificate Authorities (CAs) by the Authorization service is defined
as part of the functionaility of the Argus authorization system. However, it does not work.

-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group considers this issue to be 'Low' risk, and
recommends that all sites upgrade the relevant components. 


-- Affected software and components

gLite-ARGUS 3.2.1 and gLite-ARGUS 3.2.0


-- Component and Installation information for gLite 3.2

Installation instructions for gLite 3.2 are available at: 

http://glite.org/glite/packages/R3.2/updates.asp 


-- gLite 3.2 release number 

gLite 3.2 update 10


-- Precautionary measures or checks


-- Other information

The functionality to ban users from a particular  CA by the Authorization service was not 
present prior to use of Argus, as far as the GSVG is aware no sites are yet using this. 

-- Credit

This vulnerability was initially reported by Gianni Pucciani

-- Disclosure Timeline
Yyyy-mm-dd

2009-09-23 Vulnerability reported by Gianni Pucciani
2009-10-14 Initial assessment by the Grid Security Vulnerability Group
2010-04-15 Updated gLite packages available
2010-04-15 Public disclosure

-- References
 If applicable
==========================================================================