Moab Insecure Message Signing Authentication Bypass

2014-09-30T00:00:00

Description

{"id": "PACKETSTORM:128485", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Moab Insecure Message Signing Authentication Bypass", "description": "", "published": "2014-09-30T00:00:00", "modified": "2014-09-30T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/", "score": 4.0}, "href": "https://packetstormsecurity.com/files/128485/Moab-Insecure-Message-Signing-Authentication-Bypass.html", "reporter": "Luke Jennings", "references": [], "cvelist": ["CVE-2014-5376"], "lastseen": "2016-12-05T22:25:04", "viewCount": 11, "enchantments": {"score": {"value": 0.7, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-5376"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31194"]}]}, "exploitation": null, "vulnersScore": 0.7}, "sourceHref": "https://packetstormsecurity.com/files/download/128485/moab-signingbypass.txt", "sourceData": "`##[Moab Authentication Bypass (insecure message signing) : CVE-2014-5376]## \n \nSoftware: Moab \nAffected Versions: Dependent on configuration, can affect all versions of Moab including Moab 8 \nCVE Reference: CVE-2014-5376 \nAuthor: John Fitzpatrick, Luke Jennings MWR Labs (http://labs.mwrinfosecurity.com/) \nSeverity: High Risk \nVendor: Adaptive Computing \nVendor Response: Provided additional guidance in 7.2.9 release notes (MOAB-7480) \n \n \n##[Description] \nMoab provides two methods to authenticate messages sent by users (e.g. job submissions). The default scheme which is widely used is insecure and can be circumvented in order to impersonate other users and perform operations on their behalf. \n \n \n##[Impact] \n \nIt is possible to exploit this issue remotely in order to perform any operation on the server from the perspective of any user role. Examples include submitting jobs as arbitrary users (including as root), as well as reconfiguring the Moab server itself. \n \n \n##[Cause] \n \nThe default authentication mechanism does not perform sufficient validation that the user requesting the signing of a message is the owner of the message. \n \n \n##[Solution] \n \nMake use of moab.key files with a complex key value. \n \nAdaptive acknowledge this issue in the 7.2.9 release notes (MOAB-7480) as a known issue, stating: \n \n\"When installing or upgrading, it is strongly recommended that administrators configure Moab with mauth authentication with a complex key value. See Mauth Authentication (http://docs.adaptivecomputing.com/mwm/7-2-9/help.htm#a.esecurity.html%23mauth) for more information.\" \n \n \n##[Technical Details] \n \nMoab is a workload manager used in High Performance Computing (HPC) environments. In a typical environment a user submits their jobs to the Moab server for it to handle the workload. Moab communication makes use of an XML based protocol and these messages are signed with a key. An example message is shown below: \n \n<Envelope component=\"ClusterScheduler\" count=\"1\" name=\"moab\" type=\"nonblocking\" version=\"8.0.beta.2\"> \n<Signature> \n<DigestValue>7v49VzAlbyNQ4O3VChCus+v2LeE=</DigestValue> \n<SignatureValue>QG13cmxhYnMgRWFzdGVyIEVnZyE=</SignatureValue> \n</Signature> \n<Body actor=\"test\" timestamp=\"1408488412\"> \n<Request action=\"submit\" actor=\"test\" cmdline=\"\\STARTmsub\"> \n<Object>job</Object> \n<job> \n<Owner>test</Owner> \n<UserId>test</UserId> \n<GroupId>test</GroupId> \n<InitialWorkingDirectory>/home/test</InitialWorkingDirectory> \n<UMask>2</UMask> \n<Executable>/usr/bin/id</Executable> \n<SubmitLanguage>PBS</SubmitLanguage> \n<SubmitString>\\START/usr/bin/id\\0a\\0a</SubmitString> \n</job> \n</Request> \n</Body> \n</Envelope> \n \nOn receiving a message the server will generate a signature and ensure that it matches the <SignatureValue> element within the message. This signature is effectively computed in the following manner: \n \nsignature = f(messageBody,key) \n \nTherefore in order to communicate with the Moab server users must be able to compute valid signatures and two mechanisms are provided within Moab for achieving this: \n \n1. The use of .moab.key files (more secure) \n2. Use of a pre-generated key (insecure) - default \n \nWhere .moab.key files are used a SUID root binary (mauth) provides an interface to this key as well as a means for verifying that the user calling mauth matches the actor specified within the XML message being signed. \n \nWhere a pre-generated key is used mauth is not called and the generation of messages is performed entirely within the context of the calling user. There is no validation that the user requesting the signing of the message is the actor specified within the message. As a result where pre-generated keys are used it is possible to craft messages belonging to other users and to perform operations and submit jobs as other users. Simply patching the return value of calls to getuid() is sufficient to impersonate other users. \n \n \n##[Detailed Timeline] \n \n2014-01-21 : Detailed vulnerability information provided to Adaptive \n2014-08-27 : Full advisory provided to Adaptive \n2014-09-08 : Release of advisory to HPC community \n2014-09-25 : Public release of advisory \n \nhttp://labs.mwrinfosecurity.com \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645293198, "score": 1659770509}}

{"securityvulns": [{"lastseen": "2018-08-31T11:10:54", "bulletinFamily": "software", "cvelist": ["CVE-2014-5376"], "description": "\r\n\r\n##[Moab Authentication Bypass (insecure message signing) : CVE-2014-5376]##\r\n\r\nSoftware: Moab\r\nAffected Versions: Dependent on configuration, can affect all versions of Moab including Moab 8\r\nCVE Reference: CVE-2014-5376\r\nAuthor: John Fitzpatrick, Luke Jennings MWR Labs (http://labs.mwrinfosecurity.com/)\r\nSeverity: High Risk\r\nVendor: Adaptive Computing\r\nVendor Response: Provided additional guidance in 7.2.9 release notes (MOAB-7480) \r\n\r\n\r\n##[Description]\r\nMoab provides two methods to authenticate messages sent by users (e.g. job submissions). The default scheme which is widely used is insecure and can be circumvented in order to impersonate other users and perform operations on their behalf.\r\n\r\n\r\n##[Impact]\r\n\r\nIt is possible to exploit this issue remotely in order to perform any operation on the server from the perspective of any user role. Examples include submitting jobs as arbitrary users (including as root), as well as reconfiguring the Moab server itself.\r\n\r\n\r\n##[Cause]\r\n\r\nThe default authentication mechanism does not perform sufficient validation that the user requesting the signing of a message is the owner of the message.\r\n\r\n\r\n##[Solution]\r\n\r\nMake use of moab.key files with a complex key value.\r\n\r\nAdaptive acknowledge this issue in the 7.2.9 release notes (MOAB-7480) as a known issue, stating:\r\n\r\n"When installing or upgrading, it is strongly recommended that administrators configure Moab with mauth authentication with a complex key value. See Mauth Authentication (http://docs.adaptivecomputing.com/mwm/7-2-9/help.htm#a.esecurity.html%23mauth) for more information."\r\n\r\n\r\n##[Technical Details]\r\n\r\nMoab is a workload manager used in High Performance Computing (HPC) environments. In a typical environment a user submits their jobs to the Moab server for it to handle the workload. Moab communication makes use of an XML based protocol and these messages are signed with a key. An example message is shown below:\r\n\r\n<Envelope component="ClusterScheduler" count="1" name="moab" type="nonblocking" version="8.0.beta.2">\r\n <Signature>\r\n <DigestValue>7v49VzAlbyNQ4O3VChCus+v2LeE=</DigestValue>\r\n <SignatureValue>QG13cmxhYnMgRWFzdGVyIEVnZyE=</SignatureValue>\r\n </Signature>\r\n <Body actor="test" timestamp="1408488412">\r\n <Request action="submit" actor="test" cmdline="\STARTmsub">\r\n <Object>job</Object>\r\n <job>\r\n <Owner>test</Owner>\r\n <UserId>test</UserId>\r\n <GroupId>test</GroupId>\r\n <InitialWorkingDirectory>/home/test</InitialWorkingDirectory>\r\n <UMask>2</UMask>\r\n <Executable>/usr/bin/id</Executable>\r\n <SubmitLanguage>PBS</SubmitLanguage>\r\n <SubmitString>\START/usr/bin/id\0a\0a</SubmitString>\r\n </job>\r\n </Request>\r\n </Body>\r\n</Envelope>\r\n\r\nOn receiving a message the server will generate a signature and ensure that it matches the <SignatureValue> element within the message. This signature is effectively computed in the following manner:\r\n\r\nsignature = f(messageBody,key)\r\n\r\nTherefore in order to communicate with the Moab server users must be able to compute valid signatures and two mechanisms are provided within Moab for achieving this:\r\n\r\n1. The use of .moab.key files (more secure)\r\n2. Use of a pre-generated key (insecure) - default\r\n\r\nWhere .moab.key files are used a SUID root binary (mauth) provides an interface to this key as well as a means for verifying that the user calling mauth matches the actor specified within the XML message being signed.\r\n\r\nWhere a pre-generated key is used mauth is not called and the generation of messages is performed entirely within the context of the calling user. There is no validation that the user requesting the signing of the message is the actor specified within the message. As a result where pre-generated keys are used it is possible to craft messages belonging to other users and to perform operations and submit jobs as other users. Simply patching the return value of calls to getuid() is sufficient to impersonate other users. \r\n\r\n\r\n##[Detailed Timeline]\r\n\r\n2014-01-21 : Detailed vulnerability information provided to Adaptive \r\n2014-08-27 : Full advisory provided to Adaptive\r\n2014-09-08 : Release of advisory to HPC community\r\n2014-09-25 : Public release of advisory\r\n\r\nhttp://labs.mwrinfosecurity.com\r\n\r\n", "edition": 1, "modified": "2014-10-14T00:00:00", "published": "2014-10-14T00:00:00", "id": "SECURITYVULNS:DOC:31194", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31194", "title": "Moab Authentication Bypass (insecure message signing) [CVE-2014-5376]", "type": "securityvulns", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2021-06-08T18:46:26", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2014-10-14T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-4958", "CVE-2014-5450", "CVE-2014-4737", "CVE-2014-5516", "CVE-2014-5375", "CVE-2014-7138", "CVE-2014-5258", "CVE-2014-6035", "CVE-2014-4735", "CVE-2014-6300", "CVE-2014-4954", "CVE-2014-4986", "CVE-2014-0103", "CVE-2014-5447", "CVE-2014-6034", "CVE-2014-4955", "CVE-2014-5451", "CVE-2014-5259", "CVE-2014-4348", "CVE-2014-4349", "CVE-2014-6036", "CVE-2014-7217", "CVE-2014-6243", "CVE-2014-6242", "CVE-2014-5376", "CVE-2014-1608", "CVE-2014-5273", "CVE-2014-5300", "CVE-2014-6315", "CVE-2014-5297", "CVE-2014-5449", "CVE-2014-5448", "CVE-2014-5460", "CVE-2014-4987", "CVE-2014-7295", "CVE-2014-1609", "CVE-2014-5274", "CVE-2014-7139", "CVE-2014-5298"], "modified": "2014-10-14T00:00:00", "id": "SECURITYVULNS:VULN:14008", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14008", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2022-03-23T13:43:12", "description": "Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0, when a pre-generated key is used, does not validate that the requesting user matches the actor in the message, which allows remote authenticated users to impersonate arbitrary users via the actor field in a message.", "cvss3": {}, "published": "2014-10-08T19:55:00", "type": "cve", "title": "CVE-2014-5376", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5376"], "modified": "2018-10-09T19:50:00", "cpe": ["cpe:/a:adaptivecomputing:moab:7.2.8", "cpe:/a:adaptivecomputing:moab:8.0"], "id": "CVE-2014-5376", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5376", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:adaptivecomputing:moab:7.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:adaptivecomputing:moab:8.0:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-01-09T03:26:30", "description": "Moab suffers from an insecure message signing authentication bypass vulnerability. All versions up to 8 can be affected depending on the configuration.", "cvss3": {}, "published": "2014-09-30T00:00:00", "type": "zdt", "title": "Moab Workload Manage Insecure Message Signing Authentication Bypass Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-5376"], "modified": "2014-09-30T00:00:00", "id": "1337DAY-ID-22710", "href": "https://0day.today/exploit/description/22710", "sourceData": "##[Moab Authentication Bypass (insecure message signing) : CVE-2014-5376]##\r\n\r\nSoftware: Moab\r\nAffected Versions: Dependent on configuration, can affect all versions of Moab including Moab 8\r\nCVE Reference: CVE-2014-5376\r\nAuthor: John Fitzpatrick, Luke Jennings MWR Labs (http://labs.mwrinfosecurity.com/)\r\nSeverity: High Risk\r\nVendor: Adaptive Computing\r\nVendor Response: Provided additional guidance in 7.2.9 release notes (MOAB-7480) \r\n\r\n\r\n##[Description]\r\nMoab provides two methods to authenticate messages sent by users (e.g. job submissions). The default scheme which is widely used is insecure and can be circumvented in order to impersonate other users and perform operations on their behalf.\r\n\r\n\r\n##[Impact]\r\n\r\nIt is possible to exploit this issue remotely in order to perform any operation on the server from the perspective of any user role. Examples include submitting jobs as arbitrary users (including as root), as well as reconfiguring the Moab server itself.\r\n\r\n\r\n##[Cause]\r\n\r\nThe default authentication mechanism does not perform sufficient validation that the user requesting the signing of a message is the owner of the message.\r\n\r\n\r\n##[Solution]\r\n\r\nMake use of moab.key files with a complex key value.\r\n\r\nAdaptive acknowledge this issue in the 7.2.9 release notes (MOAB-7480) as a known issue, stating:\r\n\r\n\"When installing or upgrading, it is strongly recommended that administrators configure Moab with mauth authentication with a complex key value. See Mauth Authentication (http://docs.adaptivecomputing.com/mwm/7-2-9/help.htm#a.esecurity.html%23mauth) for more information.\"\r\n\r\n\r\n##[Technical Details]\r\n\r\nMoab is a workload manager used in High Performance Computing (HPC) environments. In a typical environment a user submits their jobs to the Moab server for it to handle the workload. Moab communication makes use of an XML based protocol and these messages are signed with a key. An example message is shown below:\r\n\r\n<Envelope component=\"ClusterScheduler\" count=\"1\" name=\"moab\" type=\"nonblocking\" version=\"8.0.beta.2\">\r\n <Signature>\r\n <DigestValue>7v49VzAlbyNQ4O3VChCus+v2LeE=</DigestValue>\r\n <SignatureValue>QG13cmxhYnMgRWFzdGVyIEVnZyE=</SignatureValue>\r\n </Signature>\r\n <Body actor=\"test\" timestamp=\"1408488412\">\r\n <Request action=\"submit\" actor=\"test\" cmdline=\"\\STARTmsub\">\r\n <Object>job</Object>\r\n <job>\r\n <Owner>test</Owner>\r\n <UserId>test</UserId>\r\n <GroupId>test</GroupId>\r\n <InitialWorkingDirectory>/home/test</InitialWorkingDirectory>\r\n <UMask>2</UMask>\r\n <Executable>/usr/bin/id</Executable>\r\n <SubmitLanguage>PBS</SubmitLanguage>\r\n <SubmitString>\\START/usr/bin/id\\0a\\0a</SubmitString>\r\n </job>\r\n </Request>\r\n </Body>\r\n</Envelope>\r\n\r\nOn receiving a message the server will generate a signature and ensure that it matches the <SignatureValue> element within the message. This signature is effectively computed in the following manner:\r\n\r\nsignature = f(messageBody,key)\r\n\r\nTherefore in order to communicate with the Moab server users must be able to compute valid signatures and two mechanisms are provided within Moab for achieving this:\r\n\r\n1. The use of .moab.key files (more secure)\r\n2. Use of a pre-generated key (insecure) - default\r\n\r\nWhere .moab.key files are used a SUID root binary (mauth) provides an interface to this key as well as a means for verifying that the user calling mauth matches the actor specified within the XML message being signed.\r\n\r\nWhere a pre-generated key is used mauth is not called and the generation of messages is performed entirely within the context of the calling user. There is no validation that the user requesting the signing of the message is the actor specified within the message. As a result where pre-generated keys are used it is possible to craft messages belonging to other users and to perform operations and submit jobs as other users. Simply patching the return value of calls to getuid() is sufficient to impersonate other users. \r\n\r\n\r\n##[Detailed Timeline]\r\n\r\n2014-01-21 : Detailed vulnerability information provided to Adaptive \r\n2014-08-27 : Full advisory provided to Adaptive\r\n2014-09-08 : Release of advisory to HPC community\r\n2014-09-25 : Public release of advisory\r\n\r\nhttp://labs.mwrinfosecurity.com\n\n# 0day.today [2018-01-09] #", "sourceHref": "https://0day.today/exploit/22710", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}]}

Moab Insecure Message Signing Authentication Bypass

Description

Related