Документ взят из кэша поисковой машины. Адрес оригинального документа : http://theory.sinp.msu.ru/pipermail/ru-ngi/2015q2/001550.html
Дата изменения: Fri May 8 14:04:41 2015
Дата индексирования: Sun Apr 10 18:17:56 2016
Кодировка:
[RU-NGI] Fwd: [Noc-managers] EGI SVG Advisory 'High' RISK - perfSONAR potential for a remote root exploit (in non-recommended configuration) [EGI-SVG-2015-8479]

[RU-NGI] Fwd: [Noc-managers] EGI SVG Advisory 'High' RISK - perfSONAR potential for a remote root exploit (in non-recommended configuration) [EGI-SVG-2015-8479]

Alexander Kryukov kryukov at theory.sinp.msu.ru
Thu May 7 20:49:54 MSK 2015 

FYI


-------- Forwarded Message --------
Subject: [Noc-managers] EGI SVG Advisory 'High' RISK - perfSONAR 
potential for a remote root exploit (in non-recommended configuration) 
[EGI-SVG-2015-8479]
Date: Thu, 7 May 2015 14:21:35 +0000
From: linda.cornwall at stfc.ac.uk
To: site-security-contacts at mailman.egi.eu, 
ngi-security-contacts at mailman.egi.eu, noc-managers at mailman.egi.eu
CC: svg-rat at mailman.egi.eu, csirt at mailman.egi.eu


** AMBER information - Limited distribution 
     **

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution 
restrictions **


EGI SVG   ADVISORY [EGI-SVG-2015-8479]

Title:       EGI SVG Advisory 'High' RISK - perfSONAR potential for a 
remote root exploit (in non-recommended configuration)   [EGI-SVG-2015-8479]

Date:        2015-05-07
Updated:

This advisory will be placed on the wiki on or after 2015-05-21

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-8479


Introduction
============

A vulnerability has been found in fakewww, which is part of the NDT 
package, which in turn is part of perfSONAR, which could potentially 
lead to a remote root exploit.

This has been fixed in NDT version 3.7.0 which is part of perfSONAR 
3.4.2 and sites should make sure they have auto-updates enabled as 
recommended or update manually.

If sites are configured as recommended by the WLCG perfSONAR team, in [R 
1], with NDT disabled, then they are not vulnerable even if they are 
running a vulnerable version of perfSONAR.

However, it is not clear how many sites in the EGI or WLCG environment 
are configured such that NDT is not disabled.

Sites running perfSONAR are asked to check they do not have a vulnerable 
configuration and take action if necessary.


Details
=======

The potential for a remote exploit has been found in in fakewww, which 
is part of the NDT package, which in turn is part of perfSONAR.  If 
sites are configured as recommended by the perfSONAR team, with NDT 
disabled, then they are not vulnerable.  See [R 1]

It is not clear how many sites are vulnerable, the tools which CSIRT 
normally uses for checking for vulnerabilities cannot be used to check 
for this.

This has been fixed in NDT version 3.7.0 which is part of perfSONAR 
3.4.2 and sites should make sure they have auto-updates enabled as 
recommended or update manually.


Risk category
=============

This issue has been assessed as 'High' risk by the EGI SVG Risk 
Assessment Team.

Affected software
=================

All versions of perfSONAR running NDT version prior to 3.7.0 are vulnerable.

If NDT is disabled as recommended, then sites are not vulnerable.


Mitigation
==========

Sites running perfSONAR should check that NDT is disabled as recommended 
and if it is not disabled either update urgently or disable NDT.


Component installation information
==================================

Please see the perfSONAR wiki instructions [R 1]

Note that in order to use Apache instead of fakewww, it is necessary to 
install package 'ndt-server-apache' using yum, and run "service ndt 
restart" and "service httpd restart".


Recommendations
===============

Sites running perfSONAR should check that NDT is disabled as in 
instructions in [R 1]

Sites should also check that they are running the latest version of NDT 
(3.7.0) and preferably (as recommended by the perfSONAR team) have 
auto-updates enabled.


Credit
======

This vulnerability was reported by Simon Fayer from Imperial College, London

References
==========

[R 1] 
https://twiki.opensciencegrid.org/bin/view/Documentation/InstallUpdatePS

Timeline
========
Yyyy-mm-dd

2015-04-18 Vulnerability reported by Simon Fayer (a member of SVG)
2015-04-22 Software providers responded and involved in investigation
2015-04-30 Assessment by the EGI Software Vulnerability Group reported 
to the software providers
2015-05-01 Updated packages available at perfSONAR website
2015-05-07 Advisory sent to sites
2015-05-?? Public disclosure



On behalf of the EGI SVG,


------------------------------------------------------------------
Dr Linda Cornwall,
Particle Physics Department,
STFC Rutherford Appleton Laboratory,
Harwell Oxford,
DIDCOT,
OX11 OQX,
United Kingdom

E-mail  Linda.Cornwall at stfc.ac.uk
Tel.    +44 (0) 1235 44 6138
Skype   linda.ann.cornwall


_______________________________________________
Noc-managers mailing list
Noc-managers at mailman.egi.eu
https://mailman.egi.eu/mailman/listinfo/noc-managers

-- 
A.Kryukov, PhD
Head of laboratory, SINP MSU
Phone: +7 495 939-3156

More information about the RU-NGI mailing list