Документ взят из кэша поисковой машины. Адрес оригинального документа : http://theory.sinp.msu.ru/pipermail/ru-ngi/2014q2/001294.html
Дата изменения: Tue Apr 8 14:38:41 2014
Дата индексирования: Sun Apr 10 17:50:44 2016
Кодировка:
[RU-NGI] Fwd: [Noc-managers] EGI SVG Advisory 'High' RISK - Maui/Moab vulnerabilities.

[RU-NGI] Fwd: [Noc-managers] EGI SVG Advisory 'High' RISK - Maui/Moab vulnerabilities.

Alexander Kryukov kryukov at theory.sinp.msu.ru
Thu Apr 3 17:36:25 MSK 2014 

FYI

-------- Original Message --------
Subject: [Noc-managers] EGI SVG Advisory 'High' RISK - Maui/Moab 
vulnerabilities.
Date: Thu, 3 Apr 2014 13:04:32 +0000
From: <linda.cornwall at stfc.ac.uk>
To: <site-security-contacts at mailman.egi.eu>, 
<ngi-security-contacts at mailman.egi.eu>, <noc-managers at mailman.egi.eu>
CC: svg-rat at mailman.egi.eu, csirt at mailman.egi.eu

** AMBER information - Limited distribution 
     **
*
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution 
restrictions **

EGI SVG   ADVISORY [EGI-SVG-2013-5545]

Title:       EGI SVG Advisory 'High' RISK - Maui/Moab vulnerabilities.

Date:        2014-04-03


Introduction
===========

Maui [R 1] and Moab are distributed by Adaptive Computing, formerly 
known as Cluster Resources.

3 vulnerabilities have been found which are present in Moab and Maui.

These have been fixed by Adaptive Computing in Moab, but Maui is no 
longer supported.

The purpose of this advisory is to advise sites that vulnerabilities 
exist, and that they should migrate from Maui as it is no longer under 
security support.

Mitigation is possible for the vulnerabilities which are considered 
'High' risk in Maui.


Details
=======

Maui and Moab software was examined and tested in detail by Bartlomiej 
Balcerek
and his team in Poland, and 3 vulnerabilities were found.

1) Credentials are hard-coded into the Maui RPM distributed by the EGI 
UMD.
This can be mitigated by configuration changes.

2) Authentication spoofing is possible under certain conditions, mainly 
affecting Moab,
while Maui can be protected by firewall rules that are detailed below.

3) A stack overflow.

These were reported by SVG to Adaptive Computing and have been addressed 
for Moab, but Maui is no longer under security support therefore they 
will not be fixed.

At the EGI OMB in February 2014, it was reported that Maui is not under 
security support, and it was suggested that some NGI(s) may wish to take 
on support.
However, no volunteers have yet been found.  Therefore SVG is alerting 
sites to the existence of these vulnerabilities, with the recommendation 
of migrating away from Maui.

This was also discussed at the WLCG management board meeting on 18th 
March, where it was again reported that Maui is no longer supported.

Adaptive Computing recommend their commercial Moab product instead of 
Maui [R 1], but it is not clear whether this is a solution for EGI sites.

We are aware that migration discussions are under way.


Risk category
=============

Issue 1) has been assessed as 'High' Risk for both Moab and Maui
Issue 2) has been assessed as 'High' Risk for Moab, 'High' Risk for 
Maui, but 'Low' for Maui if it is protected by firewall rules that are 
detailed below.
Issue 3) has been assessed as 'Low' Risk for both Moab and Maui.
These are the opinion of the EGI SVG Risk Assessment Team.


Affected software
=================

Versions maui-server-3.3-4.el5 and moab-7.2.1-r2 are affected.
Earlier versions are also likely to be affected.



Mitigation
==========

While the problems are not properly resolved, some mitigation is possible.

For 1)
Sites should set the Maui credentials key, and re-set it each time there 
is a re-install.

For 2)
The Moab/Maui server ports (for Maui usually 15004, 40559, 40560) should 
be made accessible only from the server host itself, the host that runs 
Torque/PBS, and the site's Computing Element(s).


Sites which install Moab should see Adaptive Computing recommendations 
at [R 2]




Component installation information
==================================


N/A.



Recommendations
===============

As Maui is no longer supported, sites should consider migrating away 
from Maui.

In the meantime sites should carry out mitigation as above for 1) and 2)

Credit
======

These vulnerabilities were reported by Bartlomiej Balcerek of Wroclaw 
University of Technology, Poland.

References
==========

[R 1] http://www.adaptivecomputing.com/products/open-source/maui/

[R 2] http://docs.adaptivecomputing.com/mwm/help.htm#a.esecurity.html



Timeline
========
Yyyy-mm-dd

2013-05-20 Vulnerabilities reported by Bartlomiej Balcerek
2013-05-20 Acknowledgement from the EGI SVG to the reporter
2013-05-20 Discussions by RAT on risk,
2013-06-05 Got a response from Adaptive Computing, after several failed 
attempts
2013-06-06 Software providers responded and involved in investigation
2013-06-20 Risk Assessment Agreed at the EGI SVG monthly meeting.
2013-07-17 Assessment by the EGI Software Vulnerability Group reported 
to the
            software providers
2014-02-20 Adaptive Computing state Maui is no longer under security 
maintenance
            and describe what has been done in Moab.
2014-02-27 Reported to EGI OMB that Maui no longer supported
2014-04-03 Advisory sent to sites and NGIs, informing of situation.



On behalf of the EGI SVG,

------------------------------------------------------------------
Dr Linda Cornwall,
Particle Physics Department,
STFC Rutherford Appleton Laboratory,
Harwell Oxford,
DIDCOT,
OX11 OQX,
United Kingdom

E-mail  Linda.Cornwall at stfc.ac.uk
Tel.    +44 (0) 1235 44 6138
Skype   linda.ann.cornwall


-- 
Scanned by iCritical.
_______________________________________________
Noc-managers mailing list
Noc-managers at mailman.egi.eu
https://mailman.egi.eu/mailman/listinfo/noc-managers

-- 
A.Kryukov, PhD
Head of laboratory, SINP MSU
Phone: +7 495 939-3156

More information about the RU-NGI mailing list