2018-SV2 Script Name UUID

affects OMERO 5 versions 5.4.6 and earlier

back to Advisories

Synopsis

A remote user can determine a server's node UUID after a script is placed directly into the server's scripts directory. That UUID can then be used to log in to the server as the root user thus providing the associated system privileges. Further, closing that login session seriously disables the server until it is restarted.

Background

The OMERO PR #5273 describes a process to:

… establish a secret key when the server starts up, tell it to the database then, when we try to set the originalfile.repo column, have a database trigger look for that secret key prefixing originalfile.name

OMERO.server affords considerable privilege to those who wield that secret key. The key can leak when the scripts service detects a new script because subsequently the server returns script names with that key prefix to the first user who queries the list of scripts. Use of bin/omero script list suffices to call IScript::getScripts() and trigger the leak.

This vulnerability is identified as CVE-2018-1000635.

Affected Packages

OMERO.server from 5.4.0 to 5.4.6 inclusive.

Impact

Medium severity.

CVSS score 6.7 vector AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:L/MAC:H/MPR:H/MUI:R/MS:C/MC:H/MI:H/MA:H

Workaround

Manage server-side scripts only via the clients, not by directly manipulating the server's filesystem.

Resolution

All OMERO.servers should be upgraded to at least 5.4.7.


back to top