Globus Security Advisory 2011-01: myproxy-logon identity checking of server http://grid.ncsa.illinois.edu/myproxy/security/myproxy-adv-2011-01.txt Original issue date: January 18 2011 Last revised: None Software affected: MyProxy v5.0 4 Dec 2009 MyProxy v5.1 9 Mar 2010 MyProxy v5.2 22 Jun 2010 Globus Toolkit 5.0.0, 5.0.1, and 5.0.2 Overview: The myproxy-logon program in MyProxy versions 5.0 through 5.2 does not enforce the check that the myproxy-server's certificate contains the expected hostname or identity. The impacted MyProxy versions are included in Globus Toolkit releases 5.0.0-5.0.2. This issue is addressed in MyProxy 5.3. I. Description The myproxy-logon program (also called myproxy-get-delegation) in MyProxy versions 5.0 through 5.2 does not abort connections when it finds that the myproxy-server's certificate is valid and signed by a trusted certification authority but the certificate does not contain the expected hostname (or identity given in the MYPROXY_SERVER_DN environment variable), unless the myproxy-logon -T or myproxy-logon -b options are given. Other MyProxy programs and libraries, including jGlobus MyProxy, are not impacted. The issue is specific to the myproxy-logon and myproxy-get-delegation programs in MyProxy versions 5.0 through 5.2. II. Impact The myproxy-logon program may be tricked into connecting to a man-in-the-middle or malicious myproxy-server, through DNS hijacking or similar attacks, potentially resulting in disclosure of the MyProxy password and download of a malicious end entity or proxy certificate by myproxy-logon. III. Solution MyProxy 5.3, which addresses this issue, is available for download from: http://grid.ncsa.illinois.edu/myproxy/download.html Upgrade instructions are available at: http://grid.ncsa.illinois.edu/myproxy/install.html Use 'myproxy-logon -V' to determine your installed MyProxy version: $ myproxy-logon -V myproxy-logon version MYPROXYv2 (v5.2 22 Jun 2010 PAM OCSP) IV. Acknowledgments This issue was discovered by Venkat Yekkirala (NCSA). V. Checksums $ openssl sha1 < myproxy-5.3.tar.gz b9580e6e324cc6dceec18c477a76db4ac0d646af $ openssl md5 < myproxy-5.3.tar.gz fe3ac7f8992878e633351a0fafadf09c