Eucalyptus

SOAP interfaces are vulnerable to XML Signature Element Wrapping attacks

Bug #746101 reported by Neil Soman on 2011-03-30

266

This bug affects 1 person

	Status	Importance	Assigned to
Eucalyptus	Fix Released	Undecided	Neil Soman
eucalyptus (Ubuntu)	Fix Released	Undecided	Unassigned
Lucid	Fix Released	Undecided	Unassigned
Maverick	Fix Released	Undecided	Unassigned
Natty	Fix Released	Undecided	Unassigned
Oneiric	Fix Released	Undecided	Unassigned

Bug Description

WS-Security policy implemented in CLC requires both a <Timestamp> and
the <Body> element to be signed. However, because the logic for verifying
signatures for these elements is decoupled from the application logic
that uses them, it's possible to put these elements in different
locations in a SOAP request in a way that the original signatures are
still valid, but the elements that are used by the application logic
are different. As a result, an attacker, who is in possession of a
valid SOAP request to CLC, can send (and execute with the privileges
of the original user) arbitrary commands to CLC.

WS-Security policy implemented in CC/NC does not require a
<Timestamp> element and does require for the <Body> to be signed. The
only elements that are signed are the WS-Addreessing headers, namely
<To>, <Action> and <MessageID>. Because the logic for verifying the
signatures for these elements is decoupled from the logic that uses
them, wrapping attacks are also possible against these fields. As a
result, an attacker, who is in possession of a valid SOAP request to
CC or NC, can send to and execute arbitrary (supported) commands on
these components.

Related branches

lp:ubuntu/oneiric/eucalyptus

lp:eucalyptus/2.0

CVE References

2011-0730

Revision history for this message

Kees Cook (kees) wrote on 2011-05-02:

This is CVE-2011-0730

Dave Walker (davewalker) on 2011-05-02

Changed in eucalyptus (Ubuntu Oneiric):
status:	New → In Progress
Changed in eucalyptus (Ubuntu Natty):
status:	New → In Progress
Changed in eucalyptus (Ubuntu Maverick):
status:	New → In Progress
Changed in eucalyptus (Ubuntu Lucid):
status:	New → In Progress

Dmitrii Zagorodnov (dmitrii) on 2011-05-23

Changed in eucalyptus:
assignee:	nobody → Neil Soman (neilsoman)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-05-26:

http://open.eucalyptus.com/wiki/esa-02

visibility:	private → public
Changed in eucalyptus:
status:	New → Fix Released
Changed in eucalyptus (Ubuntu Lucid):
status:	In Progress → Fix Committed
Changed in eucalyptus (Ubuntu Maverick):
status:	In Progress → Fix Committed
Changed in eucalyptus (Ubuntu Natty):
status:	In Progress → Fix Committed

Jamie Strandboge (jdstrand) on 2011-05-26

Changed in eucalyptus (Ubuntu Lucid):
status:	Fix Committed → Fix Released
Changed in eucalyptus (Ubuntu Maverick):
status:	Fix Committed → Fix Released
Changed in eucalyptus (Ubuntu Natty):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-05-26:

This bug was fixed in the package eucalyptus - 2.0.1+bzr1256-0ubuntu6

---------------
eucalyptus (2.0.1+bzr1256-0ubuntu6) oneiric; urgency=low

  [ Dave Walker ]
  * SECURITY UPDATE: SOAP signature replay vulnerability.
    - add debian/patches/27-soap-security.patch, thanks to upstream.
    - CVE-2011-0730
    - LP: #746101
-- Jamie Strandboge <email address hidden> Thu, 26 May 2011 10:21:56 -0500

Changed in eucalyptus (Ubuntu Oneiric):
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.