diff --git a/docs/OSGSecurityAnnouncements.md b/docs/OSGSecurityAnnouncements.md index 0b7d8a11..231d9e75 100644 --- a/docs/OSGSecurityAnnouncements.md +++ b/docs/OSGSecurityAnnouncements.md @@ -1,5 +1,6 @@ | Date | Title | Contents/Link | Risk | |-------------|-------------------------------------------------------|---------------------|---------------| +| 2024-10-03 | IDTOKEN Signing Key Present In OSG Hosted-CE Container Images | [OSG-SEC-2024-10-03](./vulns/OSG-SEC-2024-10-03.md) | | | 2024-01-09 | HIGH SSH vulnerability exploitable in Terrapin attack | [OSG-SEC-2024-01-08](./vulns/OSG-SEC-2024-01-08-HIGH-SSH-vulnerability-exploitable-in-Terrapin-attacks.md) | | | 2023-10-11 | HIGH Severity GNU C Library Privilege Escalation | [OSG-SEC-2023-10-09](./vulns/OSG-SEC-2023-10-09.md) | | | 2023-09-26 | CRITICAL PMIx race condition vulnerability affecting Slurm | [OSG-SEC-2023-09-26](./vulns/OSG-SEC-2023-09-26.md) | | diff --git a/docs/vulns/OSG-SEC-2024-10-03.md b/docs/vulns/OSG-SEC-2024-10-03.md new file mode 100644 index 00000000..1b744b13 --- /dev/null +++ b/docs/vulns/OSG-SEC-2024-10-03.md @@ -0,0 +1,18 @@ +# OSG-SEC-2024-10-03 IDTOKEN Signing Key Present In OSG Hosted-CE Container Images + +Dear OSG Security Contacts, + +OSG has discovered a security issue with the OSG Hosted-CE container images [1] where a default IDTOKEN signing key was generated each time the images were built. This key could have been used to submit local jobs to the Hosted-CEs until a new image, containing a new key, was generated. + +Upon discovery of the issue, we investigated our audit logs and found no evidence of job submission using this key. We have made changes to our container infrastructure to mitigate this issue and prevent the automatically generated key from being used. + +We are investigating further improvements to harden the Hosted-CEs to make access to an IDTOKEN signing key less impactful. Additionally, we are investigating methods and tools to implement automated secret scanning for OSG container images and other release artifacts to reduce the likelihood of future secrets being included in release artifacts. + +While we have no evidence that this issue was ever exploited, out of an abundance of caution we are rotating ALL SSH keys used by the Hosted-CEs to connect back to sites. OSG is working with the affected sites to minimize any disruptions caused by this credential rotation. + +Please contact the OSG Security team at security@osg-htc.org if you have any questions or concerns. + +OSG Security Team + +## REFERENCES +[1] https://hub.docker.com/r/opensciencegrid/hosted-ce diff --git a/mkdocs.yml b/mkdocs.yml index 492c4b7e..65d324fe 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -12,6 +12,7 @@ nav: - Overview: 'OSGSecurityAnnouncements.md' - Overview x86 vulnerabilities: 'OSGSecurityAnnouncements-x86.md' - Announcement Details: + - OSG-SEC-2024-10-03 IDTOKEN Signing Key Present In OSG Hosted-CE Container Images: './vulns/OSG-SEC-2024-10-03.md' - OSG-SEC-2024-01-08 HIGH SSH vulnerability exploitable in Terrapin attacks: './vulns/OSG-SEC-2024-01-08-HIGH-SSH-vulnerability-exploitable-in-Terrapin-attacks.md' - OSG-SEC-2023-09-26 CRITICAL PMIx race condition vulnerability affecting Slurm: './vulns/OSG-SEC-2023-09-26.md' - OSG-SEC-2023-09-25 HIGH Multiple Linux Kernel Vulnerabilities: './vulns/OSG-SEC-2023-09-25.md'