This is an escalation of privileges attack that can be used by anonymous users to gain access to a Plone site's administration controls, view unpublished content, create new content and modify a site's skin. The sandbox protecting access to the underlying system is still in place, and it does not grant access to other applications running on the same Zope instance.
All versions of Plone since 2.5 are affected, viz. 2.5, 3.0, 3.1, 3.2, 3.3, 4.0; including all minor and development revisions of these versions.
Due to the severity of this issue we are providing an advance warning of an upcoming patch, which will be released on this page at 1600 GMT on Tuesday 8th February 2011.
Workaround
Due to the nature of the vulnerability, the security team has decided to pre-announce that a fix is upcoming before disclosing the details, to ensure that concerned users can plan around the release. As the fix being published will make the details of the vulnerability public we are recommending that all users plan a maintenance window for 30 minutes either side of the announcement where your site is completely inaccessible in which to install the fix.
If you cannot have this time offline we STRONGLY recommend that you take one of the following steps to protect your site from before the announcement until you apply the fix:
- Make your database read-only.
- Alternatively, if this option isn't possible due to not using one of our standard ZODB backends, disable logins by filtering HTTP authentication and cookies in Apache or Varnish.
These do not need to be in place for the entire week but should already be in place before the fix and vulnerability details are released next week. By preventing modifications to your site and patching your site quickly you remove the incentive for potential attackers to attempt this attack.
Extra help
Should you not have in-house server administrators or a service agreement looking after your website you can find consultancy companies on plone.net.
There is also free support available online.
Information for vulnerability database maintainers
- CVSS Base Score
- 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:T/RC:C)
- Impact Subscore
- 6.4
- Exploitability Subscore
- 10
- CVSS Temporal Score
- 6.4
- Credit
- Alan Hoey
Questions and Answers
Q: When will the patch be made available?
A: The Plone Security Team will release the patch at 16:00 GMT (11am US ET) on Tuesday February 8th, 2011.
Q: How was this vulnerability found?
A: This issue was found as part of a routine audit performed by the Plone Security team.
Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
A: The Security Team has made the decision to not allow any early release of this patch so as to reduce the risks of exploitation. This decision applies to everyone, even Plone Foundation Members and Board members.
Q: If the patch has been developed already, why isn't it already made available to the public?
A: The Security Team is still testing the patch and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Plone installation(s). Some consultancy organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients.
Q: How does one exploit the vulnerability?
A: For obvious security reasons, the information will not be made available until after the patch is made available.
Q: How can I be sure my website hasn't already been compromised?
A: Unfortunately, there is no obvious or fool-proof way to know.
Q: Are there any third-party products I can use to protect my site until the patch is available?
A: Unfortunately, no. See below.
Q: Is disabling access to certain paths, such as /login, enough to protect my site?
A: The Plone Security team states that there are only 3 options to properly to protect your site:
- Disable authentication functionality (by filtering HTTP authentication and cookies in Apache or Varnish)
- Make your database read-only
- Take your website offline
Q: Can I buy the Security Team a beer?
A: Absolutely :-)
Steps to follow to apply the patch:
- Check to confirm that the patch is applicable to the Plone version in place
- Remove access to authentication by following the information at:
- http://plone.org/documentation/kb/disable-logins-for-a-plone-site
- Restart/reload the webserver
- Wait for the patch to be released at http://plone.org/products/plone/security/advisories/cve-2011-0720
- Back up the database
- Back up the buildout or instance code (Zope2 style install)
- For buildout-based installations:
- Verify that you have your various egg versions pinned (call a trained professional if you do not know what this means)
- Add the hotfix package to the instance eggs
- Re-run your buildout using bin/buildout -Nv
- For old style Zope installations:
- Place the hotfix into Zope's Products folder
- Restart the Zope instance(s)
- Reinstate authentication
- Restart/reload the web server
- Test
- Verify the site is back up
- Verify the patch was applied
- Verify authentication is back up
- Verify exploiting the vulnerability is no longer possible