Документ взят из кэша поисковой машины. Адрес
оригинального документа
: http://theory.sinp.msu.ru/pipermail/ru-ngi/2014q2/001294.html
Дата изменения: Tue Apr 8 14:38:41 2014 Дата индексирования: Sun Apr 10 17:50:44 2016 Кодировка: |
FYI -------- Original Message -------- Subject: [Noc-managers] EGI SVG Advisory 'High' RISK - Maui/Moab vulnerabilities. Date: Thu, 3 Apr 2014 13:04:32 +0000 From: <linda.cornwall at stfc.ac.uk> To: <site-security-contacts at mailman.egi.eu>, <ngi-security-contacts at mailman.egi.eu>, <noc-managers at mailman.egi.eu> CC: svg-rat at mailman.egi.eu, csirt at mailman.egi.eu ** AMBER information - Limited distribution ** * ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2013-5545] Title: EGI SVG Advisory 'High' RISK - Maui/Moab vulnerabilities. Date: 2014-04-03 Introduction =========== Maui [R 1] and Moab are distributed by Adaptive Computing, formerly known as Cluster Resources. 3 vulnerabilities have been found which are present in Moab and Maui. These have been fixed by Adaptive Computing in Moab, but Maui is no longer supported. The purpose of this advisory is to advise sites that vulnerabilities exist, and that they should migrate from Maui as it is no longer under security support. Mitigation is possible for the vulnerabilities which are considered 'High' risk in Maui. Details ======= Maui and Moab software was examined and tested in detail by Bartlomiej Balcerek and his team in Poland, and 3 vulnerabilities were found. 1) Credentials are hard-coded into the Maui RPM distributed by the EGI UMD. This can be mitigated by configuration changes. 2) Authentication spoofing is possible under certain conditions, mainly affecting Moab, while Maui can be protected by firewall rules that are detailed below. 3) A stack overflow. These were reported by SVG to Adaptive Computing and have been addressed for Moab, but Maui is no longer under security support therefore they will not be fixed. At the EGI OMB in February 2014, it was reported that Maui is not under security support, and it was suggested that some NGI(s) may wish to take on support. However, no volunteers have yet been found. Therefore SVG is alerting sites to the existence of these vulnerabilities, with the recommendation of migrating away from Maui. This was also discussed at the WLCG management board meeting on 18th March, where it was again reported that Maui is no longer supported. Adaptive Computing recommend their commercial Moab product instead of Maui [R 1], but it is not clear whether this is a solution for EGI sites. We are aware that migration discussions are under way. Risk category ============= Issue 1) has been assessed as 'High' Risk for both Moab and Maui Issue 2) has been assessed as 'High' Risk for Moab, 'High' Risk for Maui, but 'Low' for Maui if it is protected by firewall rules that are detailed below. Issue 3) has been assessed as 'Low' Risk for both Moab and Maui. These are the opinion of the EGI SVG Risk Assessment Team. Affected software ================= Versions maui-server-3.3-4.el5 and moab-7.2.1-r2 are affected. Earlier versions are also likely to be affected. Mitigation ========== While the problems are not properly resolved, some mitigation is possible. For 1) Sites should set the Maui credentials key, and re-set it each time there is a re-install. For 2) The Moab/Maui server ports (for Maui usually 15004, 40559, 40560) should be made accessible only from the server host itself, the host that runs Torque/PBS, and the site's Computing Element(s). Sites which install Moab should see Adaptive Computing recommendations at [R 2] Component installation information ================================== N/A. Recommendations =============== As Maui is no longer supported, sites should consider migrating away from Maui. In the meantime sites should carry out mitigation as above for 1) and 2) Credit ====== These vulnerabilities were reported by Bartlomiej Balcerek of Wroclaw University of Technology, Poland. References ========== [R 1] http://www.adaptivecomputing.com/products/open-source/maui/ [R 2] http://docs.adaptivecomputing.com/mwm/help.htm#a.esecurity.html Timeline ======== Yyyy-mm-dd 2013-05-20 Vulnerabilities reported by Bartlomiej Balcerek 2013-05-20 Acknowledgement from the EGI SVG to the reporter 2013-05-20 Discussions by RAT on risk, 2013-06-05 Got a response from Adaptive Computing, after several failed attempts 2013-06-06 Software providers responded and involved in investigation 2013-06-20 Risk Assessment Agreed at the EGI SVG monthly meeting. 2013-07-17 Assessment by the EGI Software Vulnerability Group reported to the software providers 2014-02-20 Adaptive Computing state Maui is no longer under security maintenance and describe what has been done in Moab. 2014-02-27 Reported to EGI OMB that Maui no longer supported 2014-04-03 Advisory sent to sites and NGIs, informing of situation. On behalf of the EGI SVG, ------------------------------------------------------------------ Dr Linda Cornwall, Particle Physics Department, STFC Rutherford Appleton Laboratory, Harwell Oxford, DIDCOT, OX11 OQX, United Kingdom E-mail Linda.Cornwall at stfc.ac.uk Tel. +44 (0) 1235 44 6138 Skype linda.ann.cornwall -- Scanned by iCritical. _______________________________________________ Noc-managers mailing list Noc-managers at mailman.egi.eu https://mailman.egi.eu/mailman/listinfo/noc-managers -- A.Kryukov, PhD Head of laboratory, SINP MSU Phone: +7 495 939-3156