MyProxy SSL Certificate Validation Security Bypass Vulnerability

Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Globus Security Advisory 2011-01: myproxy-logon identity checking of server Original issue date: January 18 2011 Last revised: None Software affected: MyProxy v5.0 4 Dec 2009 MyProxy v5.1 9 Mar 2010 MyProxy v5.2 22 Jun 2010 Globus Toolkit 5.0.0, 5.0.1, and 5.0.2 Overview: The myproxy-logon program in MyProxy versions 5.0 through 5.2 does not enforce the check that the myproxy-server's certificate contains the expected hostname or identity. The impacted MyProxy versions are included in Globus Toolkit releases 5.0.0-5.0.2. This issue is addressed in MyProxy 5.3. I. Description The myproxy-logon program (also called myproxy-get-delegation) in MyProxy versions 5.0 through 5.2 does not abort connections when it finds that the myproxy-server's certificate is valid and signed by a trusted certification authority but the certificate does not contain the expected hostname (or identity given in the MYPROXY_SERVER_DN environment variable), unless the myproxy-logon -T or myproxy-logon -b options are given. Other MyProxy programs and libraries, including jGlobus MyProxy, are not impacted. The issue is specific to the myproxy-logon and myproxy-get-delegation programs in MyProxy versions 5.0 through 5.2. II. Impact The myproxy-logon program may be tricked into connecting to a man-in-the-middle or malicious myproxy-server, through DNS hijacking or similar attacks, potentially resulting in disclosure of the MyProxy password and download of a malicious end entity or proxy certificate by myproxy-logon. III. Solution MyProxy 5.3, which addresses this issue, is available for download from: Upgrade instructions are available at: Use 'myproxy-logon -V' to determine your installed MyProxy version: $ myproxy-logon -V myproxy-logon version MYPROXYv2 (v5.2 22 Jun 2010 PAM OCSP) IV. Acknowledgments This issue was discovered by Venkat Yekkirala (NCSA). V. Checksums $ openssl sha1 < myproxy-5.3.tar.gz b9580e6e324cc6dceec18c477a76db4ac0d646af $ openssl md5 < myproxy-5.3.tar.gz fe3ac7f8992878e633351a0fafadf09c


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top