Security vulnerability announcement: CVE-2011-0720 - Privilege escalation

A vulnerability in Plone 2.5 to Plone 4.0 that allows anonymous users to gain manager access to a Plone site.

This is an escalation of privileges attack that can be used by anonymous users to gain access to a Plone site's administration controls, view unpublished content, create new content and modify a site's skin.  The sandbox protecting access to the underlying system is still in place, and it does not grant access to other applications running on the same Zope instance.

All versions of Plone since 2.5 are affected, viz. 2.5, 3.0, 3.1, 3.2, 3.3, 4.0; including all minor and development revisions of these versions.  Plone versions prior to 2.5, including Plone 1.0, Plone 2.0 and Plone 2.1 are not affected.

The fix was released at 1621 UTC on Tuesday 8th February.

Full installation instructions.

Extra help

Should you not have in-house server administrators or a service agreement looking after your website you can find consultancy companies on plone.net.

There is also free support available online.

 

Previous Workaround

Due to the nature of the vulnerability, the security team decided to pre-announce that a fix is upcoming before disclosing the details, to ensure that concerned users can plan around the release.  As the fix being published will make the details of the vulnerability public we are recommending that all users plan a maintenance window for 30 minutes either side of the announcement where your site is completely inaccessible in which to install the fix.

We recommended to people that could not have a scheduled downtime that they take one of the following steps to protect their site from before the announcement until you apply the fix:

  1. Make your database read-only.
  2. Alternatively, if this option isn't possible due to not using one of our standard ZODB backends, disable logins by filtering HTTP authentication and cookies in Apache or Varnish.

These did not need to be in place for the entire week but should already be in place before the fix and vulnerability details are released next week.  By preventing modifications to your site and patching your site quickly you remove the incentive for potential attackers to attempt this attack.

Information for vulnerability database maintainers

CVSS Base Score
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:T/RC:C)
Impact Subscore
6.4
Exploitability Subscore
10
CVSS Temporal Score
6.4
Credit
Alan Hoey

Questions and Answers


Q: When will the patch be made available?

A: It is available now! The Plone Security Team released the patch at 16:21 GMT (11:21am US ET) on Tuesday February 8th, 2011.

Q: How was this vulnerability found?

A: This issue was found as part of a routine audit performed by the Plone Security team.

Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?

A: The Security Team has made the decision to not allow any early release of this patch so as to reduce the risks of exploitation. This decision applies to everyone, even Plone Foundation Members and Board members.

Q: If the patch has been developed already, why isn't it already made available to the public?

A: The Security Team is still testing the patch and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Plone installation(s). Some consultancy organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients.

Q: How does one exploit the vulnerability?

A: For obvious security reasons, the information will not be made available until after the patch is made available.

Q: How can I be sure my website hasn't already been compromised?

A: Yes, there is a script which will check your zope or apache log files for suspicious activity.  Download it then run it as: python logchecker.py /path/to/your/instance-Z2.log

Q: Are there any third-party products I can use to protect my site until the patch is available?

A: No.

Q: I already applied version 1.0 of the hotfix to my site. Do I need to install version 1.1 now?

A: You only need version 1.1 of the hotfix if you got exceptions when trying to use version 1.0. Version 1.1 fixes 2 minor installation edge cases but does not change the nature of the fix that is applied.