Page updated: 06/09/2004
About the website

                        Valid XHTML 1.0!

 
gLite 3.0

glite-UI - Update to version 3.0.22-2

Date 02.07.07
Priority High

Description

DPM-gridftp-server Incorrect credentials propagation -- High Priority

Operational Security Coordination Team Advisory 

-- Date: 2007-07-02 

-- Background 

The Disk Pool Manager (DPM) has been developed as a lightweight
solution for disk storage management. The DPM offers a modified
version of the Globus gridftp daemon for data access, among many
other protocols.

-- Affected Software 

LCG <= 2.7.x, gLite <= 3.0.x. 

gLite 3.1.x is not affected. 

-- Affected Components 

All versions of the DPM-gridftp-server package are affected. 

DPM servers running with VDT 1.6 or later are not affected, because 
they are using a different gridftp implementation from Globus Toolkit 4, 
interfaced to DPM via a plug-in interface. This comes with the package 
'DPM-DSI', instead of the above mentioned 'DPM-gridftp-server'.

For gLite 3.x the affected meta-package are: 

glite-SE_dpm_disk 
glite-SE_dpm_mysql 
glite-SE_dpm_oracle 

Sites running LCG 2.x are asked to upgrade their DPM-gridftp-server to gLite. 

-- Vulnerability Details 

The DPM gridftp server is handling the credentials of authenticated users
to manage permissions on the files. Unfortunately, it appears that under 
some circumstances, the credentials are not correctly propagated. 

As a result, it is possible for a malicious user who successfully 
authenticated against the DPM gridftp service to manipulate any file 
accessible by the service, including reading, writing, deleting and 
changing the permissions of the affected files and directories.

-- Further documentation 

This advisory is also available at the following URL: 

http://cern.ch/grid-deployment/glite-web/egee/packages/R3.0/updates.asp 

-- Installation Notes
 
The following rpms have been made available; 

DPM-gridftp-server-1.6.5-3sec.i386.rpm 

It is possible to upgrade the 'DPM-gridftp-server' component only 
(without upgrading the rest of the DPM components) from any version
including 1.6.0 to 1.6.5-2.

If the upgrade is not feasible, then we recommend stopping the DPM 
gridftp service and contacting the developers for the possibility 
of a custom upgrade path:

  /sbin/service dpm-gsiftp stop 
  /sbin/chkconfig --del dpm-gsiftp 

They are available in the appropriate repositories for each distribution. 

http://cern.ch/grid-deployment/glite-web/egee/packages/R3.0/updates.asp 

-- Credit 
This vulnerability has been discovered by Kostas Georgiou. 

-- Disclosure Timeline 
2007-06-19 Vulnerability reported to the LFC/DPM developers 
2007-06-19 Initial response from the LFC/DPM developers 
2007-06-26 Updated packages ready for certification and testing 
2007-07-02 OSCT notified of the vulnerability 
2007-07-02 Updated packages certified 
2007-07-02 Release preparation completed 
2007-07-02 Updated LCG and gLite packages available 
2007-07-02 Public disclosure 
2007-07-02 Site Admins and LCG Security Contacts notified 

-- References 

The details of the vulnerability and the update can be found here: 

http://cern.ch/grid-deployment/glite-web/egee/packages/R3.0/updates.asp 

For more detailed information including fixed bugs, updated RPMs, 
configuration changes and how to deploy, please go to the 'Details' 
link next to each service on the 'Updates' web page.

All issues found with this update should be reported using GGUS: 
www.ggus.org. 
Further updates in Data Management

The updated DPM-FTP component (1.6.5-3):
  • ftpd: propagate user credentials for cd requests (needed for uberftp)
  • Replacing the DPM-client (build only) dependency by lcg-dm-common.
The updated LCG-DM component (1.6.5-3):
  • Better logging of request and sub-request (file) errors
  • Disabled automatic RPM dependencies to solve the x86_64 related problems
  • Build fixes for Suse9, Centos4 and easing optional build of Oracle parts

Please also have a look at the list of known issues.

This update fixes various bugs. For the full list of bugs, please see list below.

Fixed bugs

Number Description
 #24493 LFC Oracle script errors

Updated rpms

Name Version Full RPM name Description
DPM-client 1.6.5-3sec.slc3 DPM-client-1.6.5-3sec.slc3.i386.rpm APIs and CLIs for the DPM/DPNS
DPM-interfaces 1.6.5-3sec.slc3 DPM-interfaces-1.6.5-3sec.slc3.i386.rpm Disk Pool Manager Interfaces
glite-UI 3.0.22-2 glite-UI-3.0.22-2.noarch.rpm gLite User Interface
lcg-dm-common 1.6.5-3sec.slc3 lcg-dm-common-1.6.5-3sec.slc3.i386.rpm LCG Data Management common libraries and man pages.
LFC-client 1.6.5-3sec.slc3 LFC-client-1.6.5-3sec.slc3.i386.rpm Client side libraries for the LFC
LFC-interfaces 1.6.5-3sec.slc3 LFC-interfaces-1.6.5-3sec.slc3.i386.rpm LCG File Catalog Interfaces

The RPMs can be updated using apt via

Service reconfiguration after update

Not needed.

Service restart after update

Not needed.

How to apply the fix

  1. Update the RPMs (see above)
  2. Update configuration (see above)
  3. Restart the service if necessary (see above)