OSG-SEC-2021-11-04 Privilege Escalation Vulnerability in dCache
Dear OSG Security Contacts,
A vulnerability has been found in dCache where a group ACL might apply to a user with the same numeric id. This may in some rare circumstances allow a user to gain access to restricted resources. The OSG Security Team considers this vulnerability to be of MODERATE severity.
dCache point versions before 6.2.31, 7.0.20, 7.1.11 and 7.2.1
WHAT ARE THE VULNERABILITIES:
The dCache team provided this information:
There is a vulnerability whereby the group flag on ACLs is lost when set through dcache admin commands.
dCache supports two ways of setting ACLs - one setting the nfs4_setfacl command and the other setting the dCache admin command.
Though they are very similar, they have differences.
The admin interface uses the GROUP keyword to associate the Access Control Entry (ACE) with a user group, however in this case dCache associates the ACE with a user if additional 'g' (subject is a group) flag is not set. As a result, a user may get access to restricted resources.
WHAT YOU SHOULD DO:
Upgrade to point releases dCache versions 6.2.31, 7.0.20, 7.1.11 or 7.2.1
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team