Grid Security Vulnerability Group - Advisory -- Topic: Issues from PSNC review of gLexec -- Date: 2010-03-26 -- ID: Grid Vulnerability Savannah bug #57604 + others (glite issue 58056) -- Background Glexec is a middleware component used in the verification and authorization of grid credentials on whose behalf associated jobs or tasks should be run. Glexec normally is deployed in setuid-root mode, so that it can map a given credential (proxy) to an appropriate local account. Glexec is used by the CREAM Computing Element to submit jobs to the batch system with the correct local identities. On a Worker Node glexec may be available to configured sets of local accounts that should correspond to privileged members of VOs that employ multi-user pilot job frameworks. Such a pilot job should download a task from a central task queue, along with a valid proxy for the user who submitted the task: glexec then is used to let the task be run under a different local account corresponding to the given proxy. Glexec may also refuse a proxy, e.g. when the user concerned is banned. -- Vulnerability Details The Poznan Supercomputing and Networking Center (PSNC) carried out a review of gLexec, and have found the issues below relating to the way gLexec is coded. Each was entered as a separate vulnerability in the Savannah - however we have included them in 1 advisory, rather than 11. The following 9 are all resolved by the latest patch: Savannah bug #57604 Insufficient verification of strdup() return values Savannah bug #57607 Insufficient verification of malloc() return values Savannah bug #57609 Insufficient verification of glexec_getpwname() return values Savannah bug #57610 Insufficient verification of glexec_getpwuid() return values Savannah bug #57612 Potential race condition for opened files Savannah bug #57614 Memory leaks in specific situations Savannah bug #57616 Resource leaks in specific situations Savannah bug #57617 Lack of verifying getenv() return value Savannah bug #57624 Potentially dangerous convention of treating (v)snprintf return value The following will be fixed at a later date: Savannah bug #57623 Potentially insufficient configuration file contents filtering -- Grid Security Vulnerability Group Response The Grid Security Vulnerability Group considers all these issues to be 'Low' risk, and recommends that all sites upgrade the relevant components. Savannah bug #57619 "Potentially insufficient command line input filtering". The Grid Security Vulnerability Group agrees with the developers that this issue is low risk, no specific exploit has been found and it is not reasonable to fix it. Therefore it will be closed as 'won't fix'. -- Affected software and components gLExec 0.6.8-3 and earlier -- Component and Installation information for gLite 3.2 Installation instructions for gLite 3.2 are available at: http://glite.org/glite/packages/R3.2/updates.asp http://glite.web.cern.ch/glite/packages/R3.2/x86_64/updates.asp -- gLite 3.2 release number gLite 3.2 update 10 -- Installation information provided by 3rd party N/A -- Other information Regarding Savannah bug #57623 Potentially insufficient configuration file contents filtering the development team is planning to rework the configuration file reading/parsing code in the next release and then this issue should be solved. This is fixed for gLExec 0.7.0-1. -- Credit This vulnerabilities were initially reported by Gerard Frankowski as a result of a review of gLexec carried out by the Poznan Supercomputing and Networking Center (PSNC) security team -- Disclosure Timeline Yyyy-mm-dd 2009-10-26 Vulnerabilities reported by Gerard Frankowski from PSNC 2009-11-02 Initial assessment by the Grid Security Vulnerability Group 2010-04-15 Updated gLite packages available 2010-04-15 Public disclosure -- References If applicable ==========================================================================