OSG Security News and Announcements

Java security updates released this week

2013-03-08T14:19:00.000-06:00

Oracle has released a new version of Java 6 and Java 7 in response to new vulnerabilities that allow malicious web sites to allow full access to systems when web browsers with Java enabled visit them.

This only affects client side use of Java, as in web start apps or the Java plugin in web browsers. It should not be exploitable by server side uses of Java.

As a precaution, however everyone is recommended to install the latest Java patches. Scientific Linux and Red hat have both released updated Java 6 and 7 packages. New packages for Mac and Windows systems are also available.

New Java Exploit in the Wild

2013-01-15T09:07:00.000-06:00

Last week a vulnerability was discovered in Java 7 that allowed compromised web sites to take control of computers visiting the site with a web browser with the Java plugin enabled. This has been reported to be actively exploiting systems in the wild.

The vulnerability seems to be specific to Java 7, and specifically the web browser plugin, so grid services do not seem to be vulnerable.

Oracle has released a new version of Java as of Sunday that should fix this vulnerability. It is recommended that people disable the Java browser plugin if its not needed until the update is installed.

Here's an article that has a good list of FAQs about this vulnerability:
https://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/

Ganglia Vulnerability

2012-07-31T14:53:00.000-05:00

There is a Ganglia vulnerability that potentially allows remote users to execute unauthorized scripts. This has been fixed in the EPEL Ganglia for EL6, and doesn't seem to affect the EPEL Ganglia for EL5.

sudo update

2012-07-17T10:57:00.002-05:00

An update for sudo was released yesterday which can prevent privilege escalation in certain situations.

Scientific Linux Updates

2012-07-10T13:06:00.000-05:00

Since Thursday there have been 31 Scientific Linux updates announced, mostly for SL6. The full list is here. Also, a local user privilege escalation bug fix for the SL6 kernel was announced a few weeks ago. Please upgrade as needed.

Kernel and GridEngine updates this week

2012-04-20T15:38:00.000-05:00

Kernel update for Red Hat and Scientific Linux

Red Hat and Scientific Linux have both released updated kernel packages to address a local denial of service vulnerability in the xfrm6_tunnel kernel module.
The redhat announcement is here.

Updates to Oracle Grid Engine

Oracle has released updates to Oracle Grid Engine to address two local privilege escalation vulnerabilities, one in the qrsh component and the other in sgepasswd.
Oracle advisory is here.

A Couple Noteworthy Security Updates

2012-04-06T18:26:00.000-05:00

Apple Update for Java

Apple has released an update for Java for Lion and Snow Leopard to address critical vulnerabilities that can lead to the compromise of systems using Java, especially in web browsers. Systems are being actively exploited in the wild. At this time, we have not yet received reports of infected Macs from OSG users, however reports estimate over 600,000 Macs have been compromised so far: [PC World Article]

Apple's original announcement is here: [Apple Announcement]

A good quick guide to checking if your Mac is infected is available here: [Lifehacker Article]

RHEL/SL Update for RPM

Red Hat and Scientific Linux have both released updated RPM packages to address an important vulnerability. It is possible for maliciously made rpm files to compromise a system before the rpm signature is checked. More information is available here: [Red Hat Announcement]

Moderate vulnerability in OpenSSL packages

2012-03-30T09:07:00.001-05:00

New OpenSSL packages have been released by Red Hat Enterprise Linux and Scientific Linux to address moderate level vulnerabilities that could be used for remote denial of service attacks and possibly decrypting encrypted messages.

More information is available at the links below:

2011-08-24T11:02:00.006-05:00

Thunderbird, FireFox and WebKit vulnerabilities fixed on Ubuntu and Fedora

Ubuntu has announced that security vulnerabilities affecting WebKit libraries have been fixed and users are encouraged to upgrade. The announcement can be found at http://www.ubuntu.com/usn/usn-1195-1/ If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of
service attacks, and arbitrary code execution. WebKit is a web content engine, derived from KHTML and KJS from KDE, and used primarily in Apple's Safari browser. It is made to be embedded in other applications, such as mail readers, or web browsers.

Fedora released a new version of FireFox and Thunderbird that fixes multiple security vulnerabilities. The details can be found at http://lists.fedoraproject.org/pipermail/package-announce/2011-August/064383.html

glibc vulnerability - privilege escalation

2011-05-20T14:39:00.004-05:00

This is an announcement that should have been posted when it was sent to the site security contact in April. Posting now to make sure it's included on the blog for everyone.

In coordination with the EGI CSIRT team.

Title: HIGH risk glibc vulnerability - privilege escalation
(CVE-2011-0536) [EGI-ADV-20110412]
Date: April 12, 2011
Last update: April 12, 2011
URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/glibc-2011-04-12

Introduction
============

A flaw has been found in the dynamic linker component of the GNU
C library. A local attacker could use this flaw to escalate their
privileges via a setuid or setgid program which is dynamically linked
to a library with certain properties.

This vulnerability affects both RH5 and RH6 and their variants.

EGI CSIRT considers this to be a HIGH vulnerability for now and might
raise it to CRITICAL if a working exploit is made public

Details
=======

The fix for CVE-2010-3847 introduced a regression in the way the dynamic
loader expanded the $ORIGIN dynamic string token specified in the RPATH and
RUNPATH entries in the ELF library header. A local attacker could use this
flaw to escalate their privileges via a setuid or setgid program using
such a library. (CVE-2011-0536)

RH security team confirmed that reporter (of this vulnerability)
indicated an intention to make exploit public after waiting some time

to give users and downstream distros an opportunity to pick up the fix.

Mitigation
==========

The only known mitigation is to apply the security patch from the software
vendor.

Recommendations
===============

It is STRONGLY recommended to immediately apply vendor patches when they
become available.

Vendor patches are now available from

* Ubuntu
* Debian
* RHEL5/6
* SL5/6

To be released:

* CentOS5/6

References
==========
RedHat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0536

RHEL5 update:
https://rhn.redhat.com/errata/RHSA-2011-0412.html

RHEL6 update:
https://rhn.redhat.com/errata/RHSA-2011-0413.html

SL5/6 update:
http://listserv.fnal.gov/scripts/wa.exe?A2=ind1104&L=scientific-linux-errata
&T=0&P=583

SLC5 update:
http://linux.web.cern.ch/linux/updates/updates-slc5.shtml

SLC6 update:
http://linux.web.cern.ch/linux/updates/updates-slc6.shtml

Debian update:
http://lists.debian.org/debian-security-announce/2011/msg00005.html

Ubuntu update:
https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-January/0012
26.html

Regards,

Mingchao, EGI CSIRT security officer on duty

Various vulnerability notices and updates

2010-11-23T16:34:00.002-06:00

There is a vulnerability in the libsdp package which is used to enablean
application to communicate over the Infiniband SDP protocol instead of
ordinary TCP:

https://bugzilla.redhat.com/show_bug.cgi?id=647941

Sites that use infiniband will want to look at the measures in the
notification above.

Updated openssl packages that fix one security issue are now available for
Red Hat Enterprise Linux 6.

https://www.redhat.com/security/data/cve/CVE-2010-3864.html
https://rhn.redhat.com/errata/RHSA-2010-0888.html

Updated systemtap packages that fix two security issues are now available
for Red Hat Enterprise Linux 5 and 6.

https://rhn.redhat.com/errata/RHSA-2010-0894.html

There is a security vulnerability in PGP Desktop versions 10.0.3 and
earlier, as well as the upcoming 10.1 release. This vulnerability
may allow someone to spoof emails signed by the OSG security team.
For OSG users who use this version there is a knowledge base page,
as well as remediation steps at:

https://pgp.custhelp.com/app/answers/detail/a_id/2290

GNU libc vulnerability

2010-10-19T16:00:00.002-05:00

The OSG Security Team wants you to be aware of a vulnerability impacting the glibc library.

Introduction
============

Tavis Ormandy recently released information about a vulnerability in GNU libc, complete with an exploit that on many systems can give any local user root privileges. (For full details, see the link below in the References section.)

This vulnerability has been labelled CVE-2010-3847, and is present on many Linux distributions, including RHEL/CentOS/SL 5 (but *not* RHEL 3 and 4 and their derivatives). Vendor patches are not yet available.

Details
=======

As far as is known, the vulnerability can only be exploited if users can write to a file system that contains binaries with suid root permissions. (Since it is necessary for the attacker to create a hard link to a suid root binary.)

This is, for instance, the case if /bin is located on the same filesystem as /tmp (or any other user writable location, like /var/tmp, /home, /var/lib/texmf, and so on). This is unfortunately a common configuration.

Mitigation
==========

To make it impossible to make the required hard link, directories containing suid/sgid binaries can be made to appear to as separate file systems by doing

mount -o bind /sbin /sbin

for each such directory.

Please note that these commands must be re-run whenever the system is rebooted, for example by adding them to a suitable init script.

A baseline list of directories with suid/sgid binaries on a typical RHEL 5 system is:

/bin
/sbin
/usr/bin
/usr/libexec
/usr/lpp
/usr/sbin

You should check for any additional site specific locations using a command like

find / -type f $ -perm /u+s -o -perm /g+s $

that will list all files with suid/sgid permissions.

Recommendations
===============

Apply the mitigation method above for all relevant locations.

You may wish to suspend user logins and job submission until these steps have been taken; please refer to your local site policy.

Apply vendor updates as soon as they become available.

References
==========

[3]http://seclists.org/fulldisclosure/2010/Oct/257

The majority of this announcement was put together by Nuno Dias - EGI CSIRT

Linux Kernel "snd_ctl_new()" Integer Overflow Vulnerability SA41650

2010-09-29T17:51:00.002-05:00

From Secunia:
http://secunia.com/advisories/41650/
Description
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or potentially gain escalated privileges.

The vulnerability is caused due to an integer overflow error when allocating memory within the "snd_ctl_new()" function in sound/core/control.c, which can be exploited to cause a heap-based buffer overflow.

Criticality: Less Critical

OSG Recommendation:
If you think your systems may have this vulnerability you can consider removing or limiting access to the sound (or audio) subsystem.

Kernel updates for CVE-2010-3081

2010-09-22T10:36:00.002-05:00

The OSG security team announced last week an important kernel vulnerabilitythat affected 64 bit systems (announcement OSG-SEC-2010-09-16). Most of the vendors have now come out with patched kernels and the OSG security team is encouraging all sites to update any kernels that are currently affected.

Here are the links or instructions to the patched kernels for the following OS versions:

RedHat
https://rhn.redhat.com/errata/RHSA-2010-0704.html

Fedora
https://admin.fedoraproject.org/updates/search/CVE-2010-3081

Scientific Linux
Dear SLC5 x86_64 (64 bit) platform users.
We have released in production a new SLC5 kernel addressing the locally exploitable security issue CVE-2010-3081. This kernel 2.6.18-194.11.4.el5 superseeds the "hotfix" kernel 2.6.18-194.11.3.el5.cve20103081 released last Thursday.

In order to protect your system please apply urgently following update by running as root:

# yum install kernel

and if your system is an Xen virtual machine or hypervisor also run:

# yum install kernel-xen

and reboot your system for the update to take effect.

Ubuntu
https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-September/001159.html

SUSE
http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00004.html

RedHat xorg-x11-server important security vulnerability

2010-04-29T18:08:00.003-05:00

An important vulnerability regarding RedHat xorg-x11-server has been reported. The vulnerability could lead to a root-level compromise. RedHat has classified the severity level as "important" and detailed information is available at https://rhn.redhat.com/errata/RHSA-2010-0382.html
Although the vulnerability is not likely to affect the grid environment, we recommend all site admins to apply the patch on their systems as soon as possible for their site's protection.

Make sure your service is getting updates of CA certificates

2010-03-18T16:09:00.010-05:00

We have received information about storage services which had failed data transfers (FTS and srm services) because the CA certificates package has not been updated and the old CA package has an expired CA and not the new CA certificate that replaced the expired one.
The best way to update the CA certificates is using vdt-update-certs. Read about this and other important CA certificates information at https://twiki.grid.iu.edu/bin/view/Security/CADistribution.

CRL update problems

2010-02-17T15:39:00.003-06:00

As you probably know, CRLs are a vital part of the x509 security model; they are the only way CAs can invalidate compromised, or otherwise revoked certificates. Every time a user credential is presented to Grid-aware software, the appropriate CRL is checked to make sure the credential was not revoked.

CRLs has expiration dates like everything else in the x509 world. A side effect of this is that if a CRL is not updated locally (by being downloaded from the CA site) before it expires, all credentials from that CA will be treated as invalid. So sites must download fresh updates frequently; the recommended policy in OSG is to do it once every 6 hours. The tool fetch-crl is used for the task.

Several OSG site admins have notified us that fetch-crl occasionally fails to download a CRL one or more CAs, and has asked up (the security team) for guidance on what to do in those events.

Ideally, we would like to debug each and every such event and make sure it is just a transient error, but given the distributed nature of the Grid this will not scale. OSG has hundreds of sites and there are hundreds of CAs, and problem is combinatorial. Unless such errors are very rare events, we need an alternative approach.

One possibility would be for OSG to centrally serve the CRLs from all the supported CAs; this would allow us to more easily track problems since we can separately debug CA and site problems, thus going from a quadratical to a linear problem. Of course we still want to allow sites to go directly to the CAs for the CRLs if they want, for example when they are supporting a CA that is not part of the official OSG CA distribution; but we offer only limited support in such cases anyhow.

However, the above solution is likely to create its own set of problems (still to be determined), so before we start any design and implementation effort we would like to know how important is to solve this for sites.

Right now we don't even have clear statistics on how often sites have problems with their CRLs, nor if the problems are due to specific CAs. So input from sites is highly desirable.

Changes in new version of OpenSSL

2010-01-21T15:14:00.003-06:00

This is an informational notice only, there is no current action that is needed to be taken for OSG sites.

This is a notice that OpenSSL 1.x is changing the way they name the certificate files in the trust anchor store (the certificate files for grid middleware are usually stored in the "/etc/grid-security/certificates/" directory).

Traditionally OpenSSL was using a MD5 hash for naming the certificate files (which would look something like 9ff26ea4.0). The new version has moved to using a SHA1 hash to create the certificate names. Installing the new openSSL version on a machine would mean that openSSL will NOT find the certificates installed in the trust stores due to different naming used by IGTF distribution. In short, the authentication on the installed machine will stop working. IGTF distribution has proposed changes which will fix this issue and a new distribution will be released once these changes have been completed.

If you have other concerns related to this, please let us know. We are also investigating how other pieces of our distribution may be affected by this change.

Using p12 files with user commands (grid-proxy-init and voms-proxy-init)

2009-12-18T15:05:00.007-06:00

Most of the Grid users have been generally instructed to convert the p12 certificate files they get from CA on their browser to pem format (i.e. usercert.pem and userkey.pem). This conversion requires the use of openssl command which could be challenge to a novice Grid user. Users are not required to do this any more. Client commands used by most OSG users (i.e. grid-proxy-init and voms-proxy-init) are capable of accepting p12 certificates. Here are some instructions of how they may be used

Make sure the p12 certificate has restrictive permissions (read-only by user i.e. 400)
Example invocations:

       voms-proxy-init -cert $HOME/.globus/mycert.p12 -key $HOME/.globus/mycert.p12 -voms myVO
       grid-proxy-init -cert $HOME/.globus/mycert.p12 -key $HOME/.globus/mycert.p12
The users can still continue using pem certificates, this post is designed to make users and VOs aware of an alternative that may remove some challenges experienced by our users and improve their overall experience of OSG.

New KCA (Kerberos certificate Authority) server

2009-11-17T11:48:00.002-06:00

Since Monday morning Nov. 16, Fermilab has switched to a new KCA (Kerberos certificate Authority) server. The old KCA server will be dropped from IGTF CA distribution bundle on Dec 1st of 2009. The new server has a different public/private key pair, certificates issued by old KCA will not be valid.

Site security contacts do not need to take any additional steps; a new bundle will be automatically fetched by your gatekeeper (if you enabled the cron jobs for fetching certificates -- see https://twiki.grid.iu.edu/bin/view/ReleaseDocumentation/ComputeElementInstall#Install_the_CA_Certificate_Updat)

If you run web servers that uses Fermi KCA for authentication, please follow:

http://security.fnal.gov/pki/new2kcafaq.html#1_16

which will explain how to properly update the web servers to accept the new certificates.

VO security contacts, if your users rely on certificates issued by Fermi KCA, you may get some questions from the users. There are basically two types of things that can go wrong:

1) Users may experience some problems in getting certificates.

In most cases this will be because the clients on their desktops which request the certificates have not been updated so that they can successfully talk to the new KCA software. Please direct users to the web page:

http://computing.fnal.gov/xms/Services/Getting_Services/Certificates/Certificate_Client_Update_Instructions

which explains how to make sure their client software is properly updated. Users can go to the web page:

http://security.fnal.gov/pki/browsercerttest.html

to check whether or not they have a certificate (and whether it is one of the newly issued certificates).

2) Users may have no problem getting certificates but discover that the certificates are not allowing them to access services that they were formerly able to access. In most cases this is because the service admin (typically not the user making the complaint) has not properly updated their servers to recognize the newly issued certificates. On grid machines that enabled automated cert updates, this should not be an issue. If problem persists, please open a ticket with OSG GOC.

For any other problems, please urge your users to either submit a ticket to OSG GOC or directly call Fermilab Service Desk. Contacting Fermilab Service Desk may speed up the process.

Regards,
OSG Security Team

OSG-SEC-2009-11-09

2009-11-09T15:39:00.003-06:00

Another linux kernel vulnerability has been discovered that could lead to a local root exploit. This is in reference to CVE-2009-3547, and there currently is proof-of-concept code that has been released. Security team contacts can view the information by looking at the following security notification ticket:

https://ticket.grid.iu.edu/goc/viewer?id=7720

If there are any questions on this notification ticket please contact the OSG security team.

OpenSSL vulnerability has been announced

2009-11-09T14:21:00.003-06:00

This is a notice that a recent vulnerability has been discovered in the
OpenSSL protocol. The vulnerability is a man-in-the-middle attack upon
renegotiation of an SSL session and a good summary of the problem can
be found at:

http://www.theregister.co.uk/2009/11/05/serious_ssl_bug/
http://www.sslshopper.com/article-ssl-and-tls-renegotiation-vulnerability-discovered.html

For more technical details you can look at:

http://www.tombom.co.uk/blog/?p=85
http://extendedsubset.com/?p=8
http://www.links.org/?p=780
http://www.links.org/?p=786

The OSG security team is has been following this announcement and you can find additional information for that at:

https://ticket.grid.iu.edu/goc/viewer?id=7714

OSG-SEC-2009-10-19

2009-11-02T10:51:00.004-06:00

Active exploitation of kernel vulnerabilities has resulted in a security announcement to all OSG security contacts. Security team contacts can view the information by looking at the following security notification ticket:

https://ticket.grid.iu.edu/goc/viewer?id=7640

If there are any questions on this notification ticket please contact the OSG security team.

New OSG Security blog

2009-10-20T13:13:00.002-05:00

This is a new Open Science Grid (OSG) Security News and Announcement blog. The OSG Security team will be posting news and announcements that are pertinent to members of the OSG community. Be sure to check back often or subscribe to the blog for the latest announcements.

- OSG Security Team