Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

Globus Security Advisory 2007-03: Nexus vulnerability

Summary

Globus contains a potential denial of service attack that can be caused by sending invalid data to a GRAM 2 (pre-web services) job manager.

Relevant Versions

This advisory affects the following VDT versions:

Date Announced

2007-05-21

Description

This is a denial of service attack that only affects the GRAM 2 (pre-web services) job manager. That is, it is a server-side attack, and clients are not vulnerable. It only affects you if you are using GRAM 2, and not any other Globus services.

You can read Globus's description of the problem. For your convenience, we replicate the announcement here:

Globus Security Advisory 2007-03: Nexus vulnerability

Original issue date: May 17, 2007
Last revised: None

Software affected: Globus Toolkit releases 4.1.1 and earlier

Specific packages:
     globus_nexus-6.6 and earlier

Overview:

A vulnerability in the globus-job-manager was discovered.  As far as
we know, root privileges can not be obtained, but the system
(typically the head node of a cluster) running the globus-job-manager
can be caused to crash resulting in a denial of service (DoS).  If
many globus-job-managers are attacked at once on the  same system, all
available physical and swap memory can be consumed, causing the kernel
OOM to start killing off everything including init, and eventually
causing a kernel panic which halts the system.

I. Description

When a GRAM2 job is submitted, the job manager will open and listen on
3 ephemeral ports during the life of the job.  Two of these ports are
used by MPICH-G2 applications. It has been demonstrated that these
ports are  vulnerable to an attack which can cause excessive memory
consumption and denial of service of the host system.

II. Impact

A remote attacker may cause a denial of service.

III. Solution

Nexus has been modified to use GSI with with self authorization on
Nexus TCP sockets by default. This will secure access to the ports
opened by the job manager to only the user that submitted the job.
Details about this bug can be read here:
http://bugzilla.globus.org/globus/show_bug.cgi?id=5297

While testing this solution, a deadlock bug was found and  fixed in
GSSAPI when built with threads.  Additional details about this bug can
be read here: http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=5279

In addition, we've provided a job manager configuration option to
optionally disable the Nexus ports. Administrators can add -duct
disable to the job manager configuration file to disable the
vulnerable TCP ports.

Options:

There are 3 new GT packages available for download at http://
www.globus.org/toolkit/advisories.html

- globus_nexus-6.7.tar.gz
     This package contains the modification to Nexus to use GSI with
     self authorization on TCP           sockets by default.

     http://bugzilla.globus.org/globus/show_bug.cgi?id=5297

- globus_gssapi-4.11.tar.gz
     This package fixes a deadlock in GSI activation when built with
     threads.
     http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=5279

- globus_gram_job_manager-6.11.tar.gz [Optional]
     This package contains updates to disable the communication
     channel used for MPICH-G2 jobs (a.k.a. Nexus ports). If you don't
     take this package but you do take the other portion of the
     security update, these communication channels will be secure:
     this package is not strictly needed.

     If you are unsure whether or not your users use MPICH-G2, you can
     safely ignore this package. If you are sure they do not, you can
     use this update to disable these ports for an extra ounce of
     preventative care.

These packages will need to be recompiled (order doesn't matter since
there's no interface differences).

MPICH installations do not need to be recompiled; however, any
statically linked MPICH-G applications will need to be recompiled
before they can be submitted to GRAM2 services.

GRAM2 clients (e.g. globusrun) do not need to be recompiled.

SHA1 checksums:
2ce524fa91e46c6b1a0b171d07156cda3983b5ec  globus_nexus-6.7.tar.gz
ab2c53ba3972ed130549755bd87e79feb8080091
globus_gssapi_gsi-4.11.tar.gz
f914a848bf47e9306866ab99e4ac99d82d2deddc  
globus_gram_job_manager-6.11.tar.gz

MD5 checksums:
b4cc4aaf3f3d90099836b903714d3924  globus_nexus-6.7.tar.gz
b694de73bb3dba699e16fba096e560e6  globus_gssapi_gsi-4.11.tar.gz
bc11f0ddb973b047d63829139b28df45  globus_gram_job_manager-6.11.tar.gz 

Please notice the comment on MPICH-G applications: they will need to be recompiled to work with the updated Globus software.

Solution

The VDT chose to only take the two required updates (globus_nexus-6.7 and globus_gssapi-4.11), and not the optional update (globus_gram_job_manager-6.11). You can get the updates for VDT 1.6.1 by running the following commands: (Don't type the comments that are in italics.)

Precursor steps
> cd $VDT_LOCATION
> . setup.sh   (or source setup.csh)

Turn off running services
> vdt-control --off globus-gatekeeper
> vdt-control --off gsiftp

Install the update
> pacman -update Globus-Base-Essentials
> pacman -update Globus-Base-RM-Essentials

Turn services back on
> vdt-control --on globus-gatekeeper
> vdt-control --on gsiftp
If you have installed the Globus-Base-SDK package, which allows you to compile programs that link against Globus, you can update it as well. This is not needed to secure your Globus GRAM installation, it is only needed for developers building applications:
> cd $VDT_LOCATION
> . setup.sh   (or source setup.csh)
> pacman -update Globus-Base-SDK

Questions

Please contact vdt-support@opensciencegrid.org if you have any questions.