Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

VDT security advisory 2009-01

Summary

Glexec versions 0.5.35 and earlier have a vulernability that allows authorized users to become root.

Relevant Versions

This advisory affects the following VDT versions:

Date Announced

2009-06-05

Description

Background

Glexec is a middleware component used in the verification and authorization of grid credentials on whose behalf associated jobs or tasks should be run. Glexec normally is deployed in setuid-root mode, so that it can map a given credential (proxy) to an appropriate local account. Glexec is used by pilot jobs (such as those submitted by GlideinWMS) to run user payload with the correct local identities. On a worker node glexec may be available to sets of local accounts that should correspond to privileged members of VOs that employ multi-user pilot job frameworks. Such a pilot job should download a task from a central task queue, along with a valid proxy for the user who submitted the task: glexec then is used to let the task be run under a different local account corresponding to the given proxy. Glexec may also refuse a proxy, e.g. when the user concerned is banned.

Vulnerability Details

The University of Wisconsin Vulnerability Assessment project has reviewed glexec and found 2 vulnerabilities (GLEXEC-2009-0002 & GLEXEC-2009-0004) which allow authorized users to gain root access. These vulnerabilities are present in glexec versions 0.5.35 or earlier. Later versions are not affected. Specific details of the flaw will be released at a future date.

Security risk: high

We recommend updating to glexec 0.5.36 or later. In the VDT, this is referred to as glexec-osg 0.6.6 or later.

Solution

An updated version of glexec is available in VDT 1.10.1x and VDT 2.0.0p2, or later. As of those versions, on 5-June-2009, glexec was updated to 0.5.36.

Release notes and instructions for VDT 1.10.1x

Release notes and instructions for VDT 2.0.0p2

Questions

Please contact vdt-support@opensciencegrid.org if you have any questions.