ISS X-Force Database: globus-grid-proxy-race-condition(28408): Globus Toolkit grid-proxy-init race condition

Globus Toolkit grid-proxy-init race condition

globus-grid-proxy-race-condition (28408)

Medium Risk

Description:

Globus Toolkit could allow a local attacker to obtain sensitive information, caused by a race condition in the GSI Proxy generation tool (grid-proxy-init) between the opening of the proxy credentials file and the file permissions verification. A local attacker could exploit this vulnerability to obtain proxy credentials.

Platforms Affected:

Globus Project and Globus Toolkit, Globus Toolkit 3.2x
Globus Project and Globus Toolkit, Globus Toolkit 4.0.x
Globus Project and Globus Toolkit, Globus Toolkit 4.1.0

Remedy:

Upgrade to the latest version of Globus Toolkit (3.2.1 or later) or (4.0.2 or later or later), available from the Globus Toolkit Web site. See References.

Consequences:

Obtain Information

References:

Globus Security-Announce Mailing List, Tue, 15 Aug 2006 13:02:12 -0500 (CDT) , Proxy Generation Tool Vulnerability at http://www.globus.org/mail_archive/security-announce/2006/08/msg00000.html.
Globus Toolkit Web site, Globus Toolkit 4.0.2 Download at http://www.globus.org/toolkit/downloads/4.0.2/.
BID-19549: Globus Toolkit Multiple Local Temporary File Handling Vulnerabilities
CVE-2006-4232: Race condition in the grid-proxy-init tool in Globus Toolkit 3.2.x, 4.0.x, and 4.1.0 before 20060815 allows local users to steal credential data by replacing the proxy credentials file in between file creation and the check for exclusive file access.
SA21516: Globus Toolkit Multiple Vulnerabilities
VUPEN/ADV-2006-3290: Globus Toolkit Local Information Disclosure and Multiple File Manipulation Vulnerabilities

Reported:

Aug 15, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page