VDB
EN
HIGH 8.1

GHSA-vg99-gr89-qhw9

DIRAC: Pilot code downloaded over unverified HTTPS connection

상세

### Summary The second stage pilot (pilot.tar) is downloaded by the initial wrapper script without any verification of the webservers' SSL certificate and the contained script is subsequently executed. The checksum is tested, but the reference checksum file is downloaded over the same unvalidated channel.

### Details The pilot wrapper downloads and executes the main second stage pilot script, but the SSL validation on this connection is explicitly disabled (to match old python < 2.7.9 behaviour): https://github.com/DIRACGrid/DIRAC/blob/integration/src/DIRAC/WorkloadManagementSystem/Utilities/PilotWrapper.py#L292-L296

This means that the second stage pilot code is not verified in any way and could potentially be altered by a man-in-the-middle attack to execute arbitrary code in the pilot context (i.e. with access to the pilot proxy/credentials).

The HTTPS connection should be validated against both the system certificates and $X509_CERT_DIR and fail if neither validate correctly.

### Impact This would require a man-in-the-middle style attack against a grid site's network (i.e. changing the DNS or routing to redirect the pilot's connection); this is likely to be difficult which probably limits the potential impact.

### Patched versions: https://pypi.org/project/DIRAC/8.0.79/ https://pypi.org/project/DIRAC/9.0.22/ https://pypi.org/project/DIRAC/9.1.10/

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / dirac
최초 영향 버전: 6.20.1 수정 버전: 8.0.79
수정 pip install --upgrade 'dirac>=8.0.79'
PyPI / dirac
최초 영향 버전: 8.1.0a1 수정 버전: 9.0.22
수정 pip install --upgrade 'dirac>=9.0.22'
PyPI / dirac
최초 영향 버전: 9.1.0 수정 버전: 9.1.10
수정 pip install --upgrade 'dirac>=9.1.10'

참고