New KCA (Kerberos certificate Authority) server

Since Monday morning Nov. 16, Fermilab has switched to a new KCA (Kerberos certificate Authority) server. The old KCA server will be dropped from IGTF CA distribution bundle on Dec 1st of 2009. The new server has a different public/private key pair, certificates issued by old KCA will not be valid.

Site security contacts do not need to take any additional steps; a new bundle will be automatically fetched by your gatekeeper (if you enabled the cron jobs for fetching certificates -- see https://twiki.grid.iu.edu/bin/view/ReleaseDocumentation/ComputeElementInstall#Install_the_CA_Certificate_Updat)


If you run web servers that uses Fermi KCA for authentication, please follow:

http://security.fnal.gov/pki/new2kcafaq.html#1_16

which will explain how to properly update the web servers to accept the new certificates.


VO security contacts, if your users rely on certificates issued by Fermi KCA, you may get some questions from the users. There are basically two types of things that can go wrong:

1) Users may experience some problems in getting certificates.

In most cases this will be because the clients on their desktops which request the certificates have not been updated so that they can successfully talk to the new KCA software. Please direct users to the web page:

http://computing.fnal.gov/xms/Services/Getting_Services/Certificates/Certificate_Client_Update_Instructions

which explains how to make sure their client software is properly updated. Users can go to the web page:

http://security.fnal.gov/pki/browsercerttest.html

to check whether or not they have a certificate (and whether it is one of the newly issued certificates).

2) Users may have no problem getting certificates but discover that the certificates are not allowing them to access services that they were formerly able to access. In most cases this is because the service admin (typically not the user making the complaint) has not properly updated their servers to recognize the newly issued certificates. On grid machines that enabled automated cert updates, this should not be an issue. If problem persists, please open a ticket with OSG GOC.

For any other problems, please urge your users to either submit a ticket to OSG GOC or directly call Fermilab Service Desk. Contacting Fermilab Service Desk may speed up the process.

Regards,
OSG Security Team

OSG-SEC-2009-11-09

Another linux kernel vulnerability has been discovered that could lead to a local root exploit. This is in reference to CVE-2009-3547, and there currently is proof-of-concept code that has been released. Security team contacts can view the information by looking at the following security notification ticket:

https://ticket.grid.iu.edu/goc/viewer?id=7720

If there are any questions on this notification ticket please contact the OSG security team.

OpenSSL vulnerability has been announced

This is a notice that a recent vulnerability has been discovered in the
OpenSSL protocol. The vulnerability is a man-in-the-middle attack upon
renegotiation of an SSL session and a good summary of the problem can
be found at:

http://www.theregister.co.uk/2009/11/05/serious_ssl_bug/
http://www.sslshopper.com/article-ssl-and-tls-renegotiation-vulnerability-discovered.html

For more technical details you can look at:

http://www.tombom.co.uk/blog/?p=85
http://extendedsubset.com/?p=8
http://www.links.org/?p=780
http://www.links.org/?p=786

The OSG security team is has been following this announcement and you can find additional information for that at:

https://ticket.grid.iu.edu/goc/viewer?id=7714

OSG-SEC-2009-10-19

Active exploitation of kernel vulnerabilities has resulted in a security announcement to all OSG security contacts. Security team contacts can view the information by looking at the following security notification ticket:

https://ticket.grid.iu.edu/goc/viewer?id=7640

If there are any questions on this notification ticket please contact the OSG security team.