SOAP interfaces are vulnerable to XML Signature Element Wrapping attacks
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Eucalyptus |
Fix Released
|
Undecided
|
Neil Soman | ||
eucalyptus (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Maverick |
Fix Released
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
WS-Security policy implemented in CLC requires both a <Timestamp> and
the <Body> element to be signed. However, because the logic for verifying
signatures for these elements is decoupled from the application logic
that uses them, it's possible to put these elements in different
locations in a SOAP request in a way that the original signatures are
still valid, but the elements that are used by the application logic
are different. As a result, an attacker, who is in possession of a
valid SOAP request to CLC, can send (and execute with the privileges
of the original user) arbitrary commands to CLC.
WS-Security policy implemented in CC/NC does not require a
<Timestamp> element and does require for the <Body> to be signed. The
only elements that are signed are the WS-Addreessing headers, namely
<To>, <Action> and <MessageID>. Because the logic for verifying the
signatures for these elements is decoupled from the logic that uses
them, wrapping attacks are also possible against these fields. As a
result, an attacker, who is in possession of a valid SOAP request to
CC or NC, can send to and execute arbitrary (supported) commands on
these components.
CVE References
Changed in eucalyptus (Ubuntu Oneiric): | |
status: | New → In Progress |
Changed in eucalyptus (Ubuntu Natty): | |
status: | New → In Progress |
Changed in eucalyptus (Ubuntu Maverick): | |
status: | New → In Progress |
Changed in eucalyptus (Ubuntu Lucid): | |
status: | New → In Progress |
Changed in eucalyptus: | |
assignee: | nobody → Neil Soman (neilsoman) |
Changed in eucalyptus (Ubuntu Lucid): | |
status: | Fix Committed → Fix Released |
Changed in eucalyptus (Ubuntu Maverick): | |
status: | Fix Committed → Fix Released |
Changed in eucalyptus (Ubuntu Natty): | |
status: | Fix Committed → Fix Released |
This is CVE-2011-0730