*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Jamie Strandboge (jdstrand):
WS-Security policy implemented in CLC requires both a <Timestamp> and the <Body> element to be signed. However, because the logic for verifying signatures for these elements is decoupled from the application logic that uses them, it's possible to put these elements in different locations in a SOAP request in a way that the original signatures are still valid, but the elements that are used by the application logic are different. As a result, an attacker, who is in possession of a valid SOAP request to CLC, can send (and execute with the privileges of the original user) arbitrary commands to CLC. WS-Security policy implemented in CC/NC does not require a <Timestamp> element and does require for the <Body> to be signed. The only elements that are signed are the WS-Addreessing headers, namely <To>, <Action> and <MessageID>. Because the logic for verifying the signatures for these elements is decoupled from the logic that uses them, wrapping attacks are also possible against these fields. As a result, an attacker, who is in possession of a valid SOAP request to CC or NC, can send to and execute arbitrary (supported) commands on these components. ** Affects: eucalyptus Importance: Undecided Assignee: Neil Soman (neilsoman) Status: New ** Affects: eucalyptus (Ubuntu) Importance: Undecided Status: In Progress ** Affects: eucalyptus (Ubuntu Lucid) Importance: Undecided Status: In Progress ** Affects: eucalyptus (Ubuntu Maverick) Importance: Undecided Status: In Progress ** Affects: eucalyptus (Ubuntu Natty) Importance: Undecided Status: In Progress ** Affects: eucalyptus (Ubuntu Oneiric) Importance: Undecided Status: In Progress -- SOAP interfaces are vulnerable to XML Signature Element Wrapping attacks https://bugs.launchpad.net/bugs/746101 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs