Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating for OSG-SEC-2024-10-03 IDTOKEN Signing Key Present In OSG Hosted-CE Container Images #34

Merged
merged 3 commits into from
Oct 3, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/OSGSecurityAnnouncements.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
| Date | Title | Contents/Link | Risk |
|-------------|-------------------------------------------------------|---------------------|---------------|
| 2024-10-03 | IDTOKEN Signing Key Present In OSG Hosted-CE Container Images | [OSG-SEC-2024-10-03](./vulns/OSG-SEC-2024-10-03.md) | |
| 2024-01-09 | HIGH SSH vulnerability exploitable in Terrapin attack | [OSG-SEC-2024-01-08](./vulns/OSG-SEC-2024-01-08-HIGH-SSH-vulnerability-exploitable-in-Terrapin-attacks.md) | |
| 2023-10-11 | HIGH Severity GNU C Library Privilege Escalation | [OSG-SEC-2023-10-09](./vulns/OSG-SEC-2023-10-09.md) | |
| 2023-09-26 | CRITICAL PMIx race condition vulnerability affecting Slurm | [OSG-SEC-2023-09-26](./vulns/OSG-SEC-2023-09-26.md) | |
Expand Down
18 changes: 18 additions & 0 deletions docs/vulns/OSG-SEC-2024-10-03.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# OSG-SEC-2024-10-03 IDTOKEN Signing Key Present In OSG Hosted-CE Container Images

Dear OSG Security Contacts,

OSG has discovered a security issue with the OSG Hosted-CE container images [1] where a default IDTOKEN signing key was generated each time the images were built. This key could have been used to submit local jobs to the Hosted-CEs until a new image, containing a new key, was generated.

Upon discovery of the issue, we investigated our audit logs and found no evidence of job submission using this key. We have made changes to our container infrastructure to mitigate this issue and prevent the automatically generated key from being used.

We are investigating further improvements to harden the Hosted-CEs to make access to an IDTOKEN signing key less impactful. Additionally, we are investigating methods and tools to implement automated secret scanning for OSG container images and other release artifacts to reduce the likelihood of future secrets being included in release artifacts.

While we have no evidence that this issue was ever exploited, out of an abundance of caution we are rotating ALL SSH keys used by the Hosted-CEs to connect back to sites. OSG is working with the affected sites to minimize any disruptions caused by this credential rotation.

Please contact the OSG Security team at [email protected] if you have any questions or concerns.

OSG Security Team

## REFERENCES
[1] https://hub.docker.com/r/opensciencegrid/hosted-ce
1 change: 1 addition & 0 deletions mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ nav:
- Overview: 'OSGSecurityAnnouncements.md'
- Overview x86 vulnerabilities: 'OSGSecurityAnnouncements-x86.md'
- Announcement Details:
- OSG-SEC-2024-10-03 IDTOKEN Signing Key Present In OSG Hosted-CE Container Images: './vulns/OSG-SEC-2024-10-03.md'
- OSG-SEC-2024-01-08 HIGH SSH vulnerability exploitable in Terrapin attacks: './vulns/OSG-SEC-2024-01-08-HIGH-SSH-vulnerability-exploitable-in-Terrapin-attacks.md'
- OSG-SEC-2023-09-26 CRITICAL PMIx race condition vulnerability affecting Slurm: './vulns/OSG-SEC-2023-09-26.md'
- OSG-SEC-2023-09-25 HIGH Multiple Linux Kernel Vulnerabilities: './vulns/OSG-SEC-2023-09-25.md'
Expand Down
Loading