The Grid Security Vulnerability Group (GSVG) and the Operational Security Coordination Team (OSCT) have been made aware of a security flaw affecting Torque/OpenPBS. This vulnerability permits a malicious user to submit a job which can elevate the jobs privileges to root. A user must first have the ability to submit jobs to an OpenPBS/Torque system to exploit. All systems running OpenPBS/Torque must upgrade to the latest version of OpenPBS/Torque. Original advisory: Dear Site Admins and Security Contacts,
As announced earlier on today, Torque is currently affected by a security flaw.
A patch is now out and all affected sites are invited to upgrade immediately.
*******************************************************************
Torque/OpenPBS local root privilege escalation vulnerability
Grid Software Vulnerability Group Security Advisory
-- Date: 2006-10-20
-- Background
Torque/OpenPBS is the batch job manager that implements the mechanism for job submission to the local computing nodes.
Pbs_mom is Torque/OpenPBS's component that manages the lifecycle of batch jobs on the Worker Nodes and provides the node status to the Torque/OpenPBS server part.
-- Affected Software
gLite <= 1.5, LCG <= 2.7.x, gLite <= 3.0.x.
-- Affected Components
All versions of OpenPBS and Torque are affected.
For gLite 3.x the affected meta-package are:
glite-torque-client-config
lcg-CE_torque
glite-torque-server-config
glite-CE
For LCG 2.x the affected meta-package is lcg-WN_torque.
For gLite 1.x the affected component is "Torque Client for the gLite Worker Nodes".
EGEE Grid software installs torque-1.0.1p6 by default, but it is known that sites tend to use newer versions of Torque or older versions of OpenPBS. Such setups are also vulnerable.
-- Vulnerability Details
By creating a malicious symbolic link, a local attacker could easily gain root privileges on any node running pbs_mom (typically Worker Node).
The Torque/OpenPBS's pbs_mom is writing the output and error messages from user jobs to predictable files using root privileges.
Unfortunately, Torque/OpenPBS is affected by a flaw that can enable a malicious user to symlink to any file on the system from these Torque/OpenPBS files, causing the output/error messages to be appended to arbitrary files. As a result, it is possible for the attacker to create, modify or execute arbitrary files on the system with root privileges.
-- Grid Security Vulnerability Group Response The Grid Security Vulnerability Group views this issue as EXTREMELY CRITICAL and strongly recommends that all sites using Torque/OpenPBS upgrade to the latest version of Torque/OpenPBS IMMEDIATELY, following the directions of the "Installation Notes" section.
-- Further documentation
This advisory is also available at the following URL:
http://www.gridpp.ac.uk/gsvg/
-- Installation Notes
The following rpms have been made available;
torque-1.0.1p6-13.SL30X.st.i386.rpm
torque-clients-1.0.1p6-13.SL30X.st.i386.rpm
torque-devel-1.0.1p6-13.SL30X.st.i386.rpm
torque-resmom-1.0.1p6-13.SL30X.st.i386.rpm
torque-server-1.0.1p6-13.SL30X.st.i386.rpm
These are appropriate to fix what is distributed with gLite 3.0 and LCG-2_7_0.
They are available in the appropriate repositories for each distribution.
http://glitesoft.cern.ch/EGEE/gLite/APT/R3.0/rhel30/RPMS.updates/
http://grid-deployment.web.cern.ch/grid-deployment/gis/apt/LCG-2_7_0/sl3/en/i386/RPMS.lcg_sl3.security/
We are distributing the full rpm set, but please note that the vulnerability is patched by upgrading the pbs_mom on the WNs. An upgrade of the head node is not strictly required.
After the upgrade, please ensure that pbs_mom has restarted properly (the rpm update should do this automatically).
-- Credit
This vulnerability was disclosed[1] in the BugTraq mailing list by Luis Miguel Silva (ISPGaya). The vulnerability was reported to the GSVG by Eygene Ryabinkin (RRC-KI).
-- Disclosure Timeline
2006-10-18 Vulnerability disclosed in the BugTraq list by Luis Miguel Silva (ISPGaya).
2006-10-20 Vulnerability reported to GSVG by Eygene Ryabinkin (RRC-KI)
2006-10-20 Initial response from the Grid Security Vulnerability Group
2006-10-20 OSCT notified of the vulnerability
2006-10-20 Initial patch provided by GSVG
2006-10-20 Updated sources available
2006-10-20 Updated LCG and gLite packages available
2006-10-20 Release preparation completed
2006-10-20 Public disclosure
2006-10-20 Site Admins and LCG Security Contacts notified
-- References
1. The original BugTraq thread:
http://www.securityfocus.com/archive/1/449248/30/0/threaded
*******************************************************************
Updated Torque packages have now been released and announced:
*******************************************************************
Dear all (or more specifically, administrators of sites using Torque 1)
The Grid Security Vulnerability Group have been notified of a
vulnerability which they have assessed and consequently classed as
"EXTREMELY CRITICAL".
This vulnerability exists in an external dependency of the gLite
middleware and as such would normally require a patch to come from the
providers of the external software. However, by good fortune a patch is
available within the gLite middleware teams and this patch is now in the
repositories of the EGEE production and pre-production services.
To re-iterate; in the normal course of events, external packages are
distributed with the gLite middleware for convenience *only*.
Distribution of the external packages does *not* imply any
responsibility for this external software on the part of the gLite
middleware teams. As the gLite middleware teams do not maintain the
external packages of the middleware, they will not normally create
patches for these external packages. That they are doing so on this
occasion is a special, one-off event.
The details of the vulnerability and the update can be found here:
http://glite.web.cern.ch/glite/packages/R3.0/updates.asp
For more detailed information including fixed bugs, updated RPMs,
configuration changes and how to deploy, please go to the 'Details' link
next to each service on the 'Updates' web page.
All issues found with this update should be reported using GGUS:
www.ggus.org
|
|
For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by TR on July 13, 2006. (Address comments about page to the Computer Security Team.) |