RedHat CVE and New CentOS Kernel
Posted August 25, 2016 - permalink
August 23rd marked the release of a new CentOS kernel:
Our read of the CVE does not find any issue of concern specific to the toolkit. Its possible the host may be vulnerable to some types of DoS attacks in some particular cases. New web100 kernel packages are now available for users of the perfSONAR toolkit. You may run 'yum update' to grab the new kernel. You should restart your host after the upgrade completes.
Project Statement on DEFCON perfSONAR Presentation
Posted August 10, 2016 - Permalink
At the DEFCON conference in Las Vegas last week, Luke Young gave a presentation entitled Attacking Network Infrastructure to Generate a 4 Tb/s DDOS for $5 which outlined a trio of vulnerabilities in perfSONAR. The development team has fielded questions about it, so for everyone’s benefit, here is a summary of the vulnerabilities and the current status of each:
- Remote command execution (RCE) in a CGI script: This vulnerability was discovered earlier and eliminated when perfSONAR 3.5.1 was released in March.
- XML external entity (XXE) in OPPD: This vulnerability required that OPPD be running as the superuser, which is not its usual mode of operation. Launching an attack of the magnitude described in the presentation would require that configuration on a large number of nodes. It was eliminated within hours of Mr. Young making us aware of its existence, and the updated software was announced the same day (July 7).
- Privilege escalation in the configuration daemon: This vulnerability required shell access to the system to exploit. It was eliminated within hours of Mr. Young making us aware of its existence, and the updated software was announced the same day (July 7).
All auto-updating perfSONAR systems were no longer subject to exploits of these vulnerabilities as of July 7.
The development team will continue to be on the lookout for bugs in perfSONAR and will continue to promptly patch those we discover or are brought to our attention. We would like to thank Mr. Young for sharing his discoveries with us.
- July 7 patch announcement
- Archive of perfSONAR vulnerabilities which have been discovered and patched
- Mr. Young’s presentation (on the DEFCON web site)
Important httpd update
Posted July 20, 2016 - permalink
An important CVE has been announced regarding the Apache web server package and we recommend users update as soon as possible. Details from RedHat, Debian, and Ubuntu can be found below:
It does NOT appear that perfSONAR is directly affected by this issue. The vulnerability affects apache web servers running CGI scripts in certain languages. Perl (which is the language perfSONAR uses in its CGI scripts) does not appear to be affected, but in order to exercise maximum caution we wanted to make people aware of the issue and suggest they update. For languages that are affected, the attacker can set a proxy in the HTTP header of a request and force the host to forward information to remote server of the attackers choosing.
If you are running auto-updates, you likely already have the fix. Otherwise running “yum update httpd” on CentOS/RedHat or "apt-get update && apt-get upgrade apache2" on Debian/Ubuntu should resolve the issue (no restarts required). Please let us know if you have any questions.
New perfSONAR Training Videos Released
Posted July 18, 2016 - permalink
The Department of Energy’s Energy Sciences Network (ESnet), and the Network Startup Resource Center (NSRC) at the University of Oregon have teamed up to create an extensive video training library to help organizations improve the performance of their networks by deploying the perfSONAR network measurement tools and the Science DMZ network architecture.
The library can be found here:
A news release on this project can be found here: http://es.net/news-and-publications/esnet-news/2016/new-training-videos-leverage-esnet-s-expertise-to-improve-network-performance-around-the-world/