high · 8.1CVE-2026-61668Jul 13, 2026

CVE-2026-61668: DIRAC PilotWrapper Disabled TLS Certificate Validation

Shubham Kandhare
Security Engagement Manager, SecureLayer7

DIRAC's pilot wrapper script intentionally skips TLS certificate verification when downloading the second-stage pilot code, letting a network attacker swap in malicious code that runs with grid proxy

PackageDIRAC
Ecosystempip
Affected>= 6.20.1, < 8.0.79
Fixed in8.0.79

The problem

The pilot wrapper in `WorkloadManagementSystem/Utilities/PilotWrapper.py` downloads `pilot.tar` and its reference checksum file over HTTPS, but explicitly passes an unverified SSL context to `urllib.urlopen`. This means no server identity check is performed.

A man-in-the-middle attacker who can intercept the connection (via DNS or routing manipulation at a grid site) can replace the downloaded archive with arbitrary code. That code then executes with the pilot's proxy credentials, potentially compromising the entire job context.

Proof of concept

A working proof-of-concept for CVE-2026-61668 in DIRAC, with the exact payload below.

python
# Vulnerable pattern in PilotWrapper.py (DIRAC < 8.0.79)
import ssl
from urllib.request import urlopen

# SSL validation is explicitly disabled to match old Python < 2.7.9 behaviour
if 'context' in urlopen.__code__.co_varnames:
    context = ssl._create_unverified_context()          # no cert check at all
    rJson = urlopen('https://<pilotFileServer>/pilot/pilot.json', timeout=10, context=context)
    rTar  = urlopen('https://<pilotFileServer>/pilot/pilot.tar', timeout=10, context=context)

# Because the checksum reference is fetched over the same unverified channel,
# a MITM can serve a matching (attacker-chosen) checksum alongside the malicious tar.
# The integrity check passes and the malicious payload is executed.

The root cause is CWE-295: Improper Certificate Validation. The code deliberately creates `ssl._create_unverified_context()`, which sets `CERT_NONE` and disables hostname checking, to preserve compatibility with Python versions older than 2.7.9. Because both `pilot.tar` and its checksum file are fetched through this same unvalidated context, the checksum check provides no real integrity guarantee against a MITM.

The fix removes the `_create_unverified_context()` path entirely, requiring a properly validating SSL context (system CA store and/or `$X509_CERT_DIR`) for all downloads. DIRAC 8.0 already dropped Python 2 support, so the old-Python workaround had no remaining justification.

The fix

Upgrade to DIRAC 8.0.79, 9.0.22, or 9.1.10. All three releases remove the `ssl._create_unverified_context()` call from `PilotWrapper.py` and require TLS connections to validate against the system certificate store or `$X509_CERT_DIR`.

Reporter not attributed.

References: [1][2][3][4][5]

Related research