[security-announce] Globus Security Advisory 2011-01: myproxy-logon identity checking of server

Jim Basney jbasney at ncsa.uiuc.edu
Tue Jan 18 09:24:40 CST 2011 

Globus Security Advisory 2011-01: myproxy-logon identity checking of server

http://grid.ncsa.illinois.edu/myproxy/security/myproxy-adv-2011-01.txt

Original issue date: January 18 2011
Last revised: None

Software affected: MyProxy v5.0 4 Dec 2009
                   MyProxy v5.1 9 Mar 2010
                   MyProxy v5.2 22 Jun 2010
                   Globus Toolkit 5.0.0, 5.0.1, and 5.0.2

Overview:

The myproxy-logon program in MyProxy versions 5.0 through 5.2 does not
enforce the check that the myproxy-server's certificate contains the
expected hostname or identity. The impacted MyProxy versions are
included in Globus Toolkit releases 5.0.0-5.0.2. This issue is addressed
in MyProxy 5.3.

I. Description

The myproxy-logon program (also called myproxy-get-delegation) in
MyProxy versions 5.0 through 5.2 does not abort connections when it
finds that the myproxy-server's certificate is valid and signed by a
trusted certification authority but the certificate does not contain the
expected hostname (or identity given in the MYPROXY_SERVER_DN
environment variable), unless the myproxy-logon -T or myproxy-logon -b
options are given.

Other MyProxy programs and libraries, including jGlobus MyProxy, are not
impacted. The issue is specific to the
myproxy-logon/myproxy-get-delegation program in MyProxy versions 5.0
through 5.2.

II. Impact

The myproxy-logon program may be tricked into connecting to a
man-in-the-middle or malicious myproxy-server, through DNS hijacking or
similar attacks, potentially resulting in disclosure of the MyProxy
password and download of a malicious end entity or proxy certificate by
myproxy-logon.

III. Solution

MyProxy 5.3, which addresses this issue, is available for download from:

  http://grid.ncsa.illinois.edu/myproxy/download.html

Upgrade instructions are available at:

   http://grid.ncsa.illinois.edu/myproxy/install.html

Use 'myproxy-logon -V' to determine your installed MyProxy version:

  $ myproxy-logon -V
  myproxy-logon version MYPROXYv2 (v5.2 22 Jun 2010 PAM OCSP)

IV. Acknowledgments

This issue was discovered by Venkat Yekkirala (NCSA).

V. Checksums

  $ openssl sha1 < myproxy-5.3.tar.gz
  b9580e6e324cc6dceec18c477a76db4ac0d646af
  $ openssl md5 < myproxy-5.3.tar.gz
  fe3ac7f8992878e633351a0fafadf09c

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5522 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.globus.org/pipermail/security-announce/attachments/20110118/79a209ea/attachment.bin>

More information about the security-announce mailing list