Grid Security Vulnerability Group - Advisory

-- Topic:          Inadequate certificate Validation in Argus 
-- Date:           2010-02-10
-- ID:	           Grid Vulnerability Savannah bug #59718

-- Background

The Argus is the Authorization System developed to provide consistent authorization decisions 
for distributed services in the Grid Environemnt.  (See reference below)

-- Vulnerability Details

Argus does not verify that X509 subject and fqans present in the SAML/XACML request come from 
a valid certificate/proxy present in the same request.

-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group considers this issue to be 'Low' risk, and
recommends that all sites upgrade the relevant components. 


-- Affected software and components

gLite-ARGUS 3.2.0



-- Component and Installation information for gLite 3.2

Installation instructions for gLite 3.2 are available at: 

http://glite.org/glite/packages/R3.2/updates.asp 


-- gLite 3.2 release number 

glite 3.2 update 10.


-- Precautionary measures or checks

N/A.

-- Other information

N/A.

-- Credit

This vulnerability was initially reported by Gianni Pucciani


-- Disclosure Timeline
Yyyy-mm-dd

2009-11-27 Vulnerability reported by Gianni Pucciani
2009-11-30 Initial assessment by the Grid Security Vulnerability Group
2010-02-08 Updated gLite packages available
2010-02-10 Advisory drafted ready for disclosure. 
2010-04-15 Patch released as part of update 10 and advisory released

-- References

https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework

==========================================================================