Title: EGI SVG Advisory [TLP:White] 'Low' risk dCache WebDAV interface XXE
vulnerability [EGI-SVG-2015-10121]
Date: 2016-06-20
Updated:
Affected Software and Risk
==========================
LOW risk XXE vulnerability concerning dCache WebDAV interface
Package : dCache
Actions Required/Recommended
============================
Sites are recommended to update relevant components in due course.
Affected software Details.
==========================
dCache versions affected:
2.10.45 or earlier,
2.11.36 or earlier,
2.12.25 or earlier,
2.13.13 or earlier,
2.14.1 or earlier.
dCache versions not affected:
2.10.46 or later,
2.11.37 or later,
2.12.26 or later,
2.13.14 or later,
2.14.2 or later,
2.15.0 or later
More information
================
WebDAV is a protocol, based on HTTP, that makes use of XML as a
machine-readable format. The XML External Entity (XXE) processing feature of
XML make services that use it, like WebDAV, potentially vulnerable to attacks.
An XXE problem was identified with the Milton library. dCache uses this library
to process WebDAV requests.
More information on the XML External Entity Vulnerability is available at [R 1]
Details from the dCache team:--
We've been notified of a vulnerability in dCache WebDAV interface.
Background:
WebDAV is a protocol, based on HTTP, that makes use of XML as a
machine-readable format. The XML External Entity (XXE) processing
feature of XML make services that use it, like WebDAV, potentially
vulnerable to attacks.
The problem:
An XXE problem was identified with the Milton library. dCache uses this
library to process WebDAV requests.
The following has been announced to the milton library users mailing list:
Milton Security Vulnerability Notice
A security vulnerability has been discovered in Milton and a
fixed update is available.
This email is being sent from milton.io to customers who
have registered or previously submitted a contact request
through the milton website. If you're not the technical
contact please pass this message on as appropriate.
Details of the security vulnerability
The XML parser used in within the Milton framework allows
general entities to be parsed, which allows remote files
to be loaded. This means that XML requests such as PROPFIND
and REPORT can include DOCTYPE delcarations which
reference external entities and the parse will attempt to
retrieve them.
This was previously patched for external entities, but this
new vulnerability has been discovered which affected
general entities
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
http://www.brainbell.com/tutors/XML/XML_Book_B/External_Parsed_General_Entities.htm
This leads to the following issues:
Port scan
XML DOCTYPE definitions and entities (external / parameter) may
be abused to scan the internal network where the
vulnerable application is located. An attacker may supply
a protocol, an IP address followed by the port to scan. E.g.:
http://10.11.12.13 [lookup IP][Add IP]:1204
While creating a DOM the vulnerable parser will resolve the
given URL. Depending on the response times and behaviour of
the application using Milton it might be guessed which ports
on the specified host are open. This may as well be abused to
determine, which ports aren’t blocked by the outgoing
firewall.
Server Side Request Forgery
XML DOCTYPE definitions and entities (external / parameter) may
be abused to trigger requests on other systems, which may not
be directly reachable by the attacker but are reachable by
the vulnerable application. This means that an adversary
might attack internal systems where no access would have
been possible without the SSRF vulnerability.
XML External Entity Attacks
XML External Entities allow the XML Parser to include
external resources. These resources may reside
on the local system or the network.
Resolution
Milton 2.7.0.3 [lookup IP][Add IP] has been release hardens the configuration
of the parsers so they will not attempt to retrieve remote resources. You
should apply this release to your affected systems as soon as possible.
The next cycle of dCache releases will update the milton library to the
recommended version. We can do this "silently" to allow us to prepare a
reasonable advisory.
Here is our assessment of the vulnerabilities:
Both the port scan and the "XML External Entity (XXE)" attacks requires
the server to "echo" part of the request in the response. The current
mechanisms to achieve this is via user-controlled properties (i.e.,
arbitrary metadata), which dCache does not support. Unless some other
mechanism is found, dCache is NOT vulnerable to port-scan or XXE attacks.
The "Server Side Request Forgery" attack is possible, but the response
will not be accessible to the attacker. This could be used to attempt a
Denial-of-Service attack on services accessible from dCache WebDAV door
or trigger some activity, but cannot be used to obtain protected
information.
Mitigation
==========
N/A
Component installation information
==================================
The official repository for the distribution of grid middleware for EGI sites
is repository.egi.eu which contains the EGI Unified Middleware Distribution
(UMD).
Sites using the EGI UMD 4 should see:
http://repository.egi.eu/category/umd_releases/distribution/umd-4/
dCache version 2.13.28 is available in UMD-4.1.0
http://repository.egi.eu/2016/05/27/release-umd-4-1-0/
Sites using the EGI UMD 3 should see:
http://repository.egi.eu/category/umd_releases/distribution/umd-3/
dCache version 2.10.56 is available in UMD-3.14.2
Sites who wish to install directly from the dCache site, which includes all
patched versions should see:
https://www.dcache.org/downloads/IAgree.shtml
TLP and URL
===========
** WHITE information - Unlimited distribution **
** see https://go.egi.eu/tlp for distribution restrictions**
URL: https://advisories.egi.eu/2015/Advisory-SVG-2015-10121
Minor updates may be made without re-distribution to the sites
Credit
======
This vulnerability was reported by Paul Miller from dCache
References
==========
[R 1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of a vulnerability which is relevant to EGI you may
report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look.
Timeline
========
Yyyy-mm-dd [EGI-SVG-2015-10121]
2015-12-01 Vulnerability reported by Paul Miller
2015-12-01 Acknowledgement from the EGI SVG to the reporter
2015-12-10 EGI SVG Risk Assessment completed
2015-12-10 Assessment by the EGI Software Vulnerability Group reported to the
software providers
2016-06-08 Updated packages available at dCache sites and in UMD 4
2016-06-16 Updated packages available in UMD 3
2016-06-20 Advisory/Alert sent to sites
2016-06-20 Public disclosure
On behalf of the EGI SVG,