ESA-02: SOAP Interfaces Vulnerable to XML Signature Element Wrapping Attacks

Eucalyptus Security Advisory
Advisory ID: 
ESA-02
Severity Level: 
Critical
Issue Date: 
2011-05-25
Last Updated: 
2011-05-25
Affected Products: 
Eucalyptus EE 2.0.1, Eucalyptus 2.0.2 and earlier

Overview

A security vulnerability has been identified in Eucalyptus EE 2.0.1, Eucalyptus 2.0.2 and earlier. An update is now available that resolves this issue. We advise immediately updating all affected Eucalyptus installations following the instructions below.

Description

This vulnerability allows an unauthenticated remote attacker who has access to the network traffic between authenticated user and a Eucalyptus installation, to modify intercepted SOAP requests and submit arbitrary commands to the Eucalyptus SOAP interface in the context of the authenticated user. Special thanks to Juraj Somorovsky, Jörg Schwenk, Meiko Jensen and Xiaofeng Lou who warned us about this vulnerability, thereby giving us all the needed details to produce the current release.

Solution

Eucalyptus EE 2.0.2 and Eucalyptus 2.0.3 resolves this issue.

Instructions

To update Eucalyptus EE 2.0 installations to Eucalyptus EE 2.0.2:

  1. Download the updated Eucalyptus software from this location:

http://www.eucalyptussoftware.com/downloads/products/eee/

  1. Next, follow the Eucalyptus EE 2.0 series upgrade instructions for your particular distribution, as shown in the EE 2.0 Administrator's Guide:

http://www.eucalyptus.com/resources/documentation

To update Eucalyptus 2.0 installations to Eucalyptus 2.0.3:

  1. Download the updated Eucalyptus software from this location:

http://open.eucalyptus.com/download

  1. Next, follow the Eucalyptus 2.0 series upgrade instructions for your particular distribution, as shown here:

http://open.eucalyptus.com/wiki/EucalyptusUpgrade_v2.0

Updated Packages

Eucalyptus EE:

eucalyptus-centos-i386-2.0.2eee.tar.gz MD5:e28c6c476782f8797e8a322c9bcfe269 eucalyptus-centos-x86_64-2.0.2eee.tar.gz MD5:6bd250db20a9c692f19b2e04f659c9db eucalyptus-deps-centos-i386-2.0.2eee.tar.gz MD5:99f3a1e1f2714e087d4a9aa523d3b688 eucalyptus-deps-centos-x86_64-2.0.2eee.tar.gz MD5:fd6a5ac4dcd906bfb602ec09eca6cca7 eucalyptus-deps-opensuse-i586-2.0.2eee.tar.gz MD5:a5215c66d59879ec14d48e920955ec83 eucalyptus-deps-opensuse-x86_64-2.0.2eee.tar.gz MD5:1ba8422634aa6c608e898dfa3001392b eucalyptus-opensuse-i586-2.0.2eee.tar.gz MD5:2c1f74a714890772fc64b412605fabb0 eucalyptus-opensuse-x86_64-2.0.2eee.tar.gz MD5:2f11b11a2c2bdde6b8bbf36d219e13bc

Eucalyptus:

eucalyptus-2.0.3-centos-i386.tar.gz MD5:698cd38e34158c42c15150e1d89872e7 eucalyptus-2.0.3-centos-x86_64.tar.gz MD5:0f03a29e4cdc05f9eb293eb9bc2e26bd eucalyptus-2.0.3-fedora-i386.tar.gz MD5:7dc1c610a969a4010bac003858d601a7 eucalyptus-2.0.3-fedora-x86_64.tar.gz MD5:6bced857d66d10a82392d298085982de eucalyptus-2.0.3-opensuse-i386.tar.gz MD5:bfa715f8908c0b147fc032c4293bdd1f eucalyptus-2.0.3-opensuse-x86_64.tar.gz MD5:d000e024286e454f9d9366c1b3100d5a eucalyptus-2.0.3-squeeze.tar.gz MD5:3551a2a6802b643bcc735845c6a1ea36 eucalyptus-2.0.3-src-deps.tar.gz MD5:aea055ab6e3fcb5d1e0b9702cf7b51f9 eucalyptus-2.0.3-src-offline.tar.gz MD5:1dbef9620da90736637113108e8c3631 eucalyptus-2.0.3-src-online.tar.gz MD5:e3f3ce2a9e110acadf3a0e88f45e19ba

Additional Information

Users running Ubuntu Enterprise Cloud powered by Eucalyptus (UEC) should refer to the Ubuntu security announcement USN-1137-1.

http://www.ubuntu.com/usn/usn-1137-1.

Contact and Help

Contact the Eucalyptus Security Team at security@eucalyptus.com.