MyProxy SSL Certificate Validation Security Bypass Vulnerability

2011.02.03
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Globus Security Advisory 2011-01: myproxy-logon identity checking of server http://grid.ncsa.illinois.edu/myproxy/security/myproxy-adv-2011-01.txt Original issue date: January 18 2011 Last revised: None Software affected: MyProxy v5.0 4 Dec 2009 MyProxy v5.1 9 Mar 2010 MyProxy v5.2 22 Jun 2010 Globus Toolkit 5.0.0, 5.0.1, and 5.0.2 Overview: The myproxy-logon program in MyProxy versions 5.0 through 5.2 does not enforce the check that the myproxy-server's certificate contains the expected hostname or identity. The impacted MyProxy versions are included in Globus Toolkit releases 5.0.0-5.0.2. This issue is addressed in MyProxy 5.3. I. Description The myproxy-logon program (also called myproxy-get-delegation) in MyProxy versions 5.0 through 5.2 does not abort connections when it finds that the myproxy-server's certificate is valid and signed by a trusted certification authority but the certificate does not contain the expected hostname (or identity given in the MYPROXY_SERVER_DN environment variable), unless the myproxy-logon -T or myproxy-logon -b options are given. Other MyProxy programs and libraries, including jGlobus MyProxy, are not impacted. The issue is specific to the myproxy-logon and myproxy-get-delegation programs in MyProxy versions 5.0 through 5.2. II. Impact The myproxy-logon program may be tricked into connecting to a man-in-the-middle or malicious myproxy-server, through DNS hijacking or similar attacks, potentially resulting in disclosure of the MyProxy password and download of a malicious end entity or proxy certificate by myproxy-logon. III. Solution MyProxy 5.3, which addresses this issue, is available for download from: http://grid.ncsa.illinois.edu/myproxy/download.html Upgrade instructions are available at: http://grid.ncsa.illinois.edu/myproxy/install.html Use 'myproxy-logon -V' to determine your installed MyProxy version: $ myproxy-logon -V myproxy-logon version MYPROXYv2 (v5.2 22 Jun 2010 PAM OCSP) IV. Acknowledgments This issue was discovered by Venkat Yekkirala (NCSA). V. Checksums $ openssl sha1 < myproxy-5.3.tar.gz b9580e6e324cc6dceec18c477a76db4ac0d646af $ openssl md5 < myproxy-5.3.tar.gz fe3ac7f8992878e633351a0fafadf09c

References:

http://lists.globus.org/pipermail/security-announce/2011-January/000018.html
http://xforce.iss.net/xforce/xfdb/64830
http://www.securityfocus.com/bid/45916
http://secunia.com/advisories/43103
http://secunia.com/advisories/42972
http://osvdb.org/70494
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053473.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053461.html
http://grid.ncsa.illinois.edu/myproxy/security/myproxy-adv-2011-01.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top