https://wiki.egi.eu/w/index.php?title=EGI_CSIRT:Alerts/Torque-2011-06-15&feed=atom&action=historyEGI CSIRT:Alerts/Torque-2011-06-15 - Revision history2024-03-28T18:01:35ZRevision history for this page on the wikiMediaWiki 1.37.1https://wiki.egi.eu/w/index.php?title=EGI_CSIRT:Alerts/Torque-2011-06-15&diff=105379&oldid=previmported>Mingchao at 15:52, 16 August 20112011-08-16T15:52:55Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<tr class="diff-title" lang="en">
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 16:52, 16 August 2011</td>
</tr><tr><td colspan="2" class="diff-notice" lang="en"><div class="mw-diff-empty">(No difference)</div>
</td></tr></table>imported>Mingchaohttps://wiki.egi.eu/w/index.php?title=EGI_CSIRT:Alerts/Torque-2011-06-15&diff=23606&oldid=prevMingchao at 15:52, 16 August 20112011-08-16T15:52:55Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 16:52, 16 August 2011</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l136">Line 136:</td>
<td colspan="2" class="diff-lineno">Line 136:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>2011-08-11 Patch available in EPEL, information made public and CVE assigned</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>2011-08-11 Patch available in EPEL, information made public and CVE assigned</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>2011-08-15 Advisory revised</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>2011-08-15 Advisory revised</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>2011-08-<del style="font-weight: bold; text-decoration: none;">15 </del>Updated advisory sent to EGI sites and NGI security contacts</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>2011-08-<ins style="font-weight: bold; text-decoration: none;">16 </ins>Updated advisory sent to EGI sites and NGI security contacts</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td></tr>
</table>Mingchaohttps://wiki.egi.eu/w/index.php?title=EGI_CSIRT:Alerts/Torque-2011-06-15&diff=23605&oldid=prevMingchao at 15:52, 16 August 20112011-08-16T15:52:44Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 16:52, 16 August 2011</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l136">Line 136:</td>
<td colspan="2" class="diff-lineno">Line 136:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>2011-08-11 Patch available in EPEL, information made public and CVE assigned</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>2011-08-11 Patch available in EPEL, information made public and CVE assigned</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>2011-08-15 Advisory revised</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>2011-08-15 Advisory revised</div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">2011-08-15 Updated advisory sent to EGI sites and NGI security contacts</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td></tr>
</table>Mingchaohttps://wiki.egi.eu/w/index.php?title=EGI_CSIRT:Alerts/Torque-2011-06-15&diff=23604&oldid=prevMingchao: Created page with '<pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT AD…'2011-08-16T15:50:44Z<p>Created page with '<pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT AD…'</p>
<p><b>New page</b></p><div><pre><br />
** WHITE information - Unlimited distribution allowed **<br />
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **<br />
<br />
<br />
EGI CSIRT ADVISORY [EGI-ADV-20110615-02]<br />
<br />
Title: High Risk - Torque Authentication Bypass Vulnerability -<br />
Update [EGI-ADV-20110615-02] CVE-2011-2907 <br />
Date: 2011-06-14<br />
Updated: 2011-06-20<br />
Updated: 2011-08-15<br />
<br />
URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Torque-2011-06-15<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2011-2296<br />
<br />
<br />
<br />
Introduction<br />
============<br />
<br />
This is an update to the advisory [EGI-ADV-20110615], as a patch is available <br />
in EPEL, and additionally this vulnerability has been made public. <br />
<br />
This vulnerability has also been assigned CVE-2011-2907<br />
<br />
<br />
Details<br />
=======<br />
<br />
The advisory sent by CSIRT[EGI-ADV-20110615] intentionally did not <br />
contain full details on the vulnerability, since it was not then public. <br />
<br />
The impact of the vulnerability can be summarized like this:<br />
<br />
If you are running a vulnerable Torque version and have not applied<br />
the recommended "acl_hosts" configuration, an attacker that can<br />
connect to port 15001 on the Torque server from a machine under his<br />
control can submit jobs as any user, bypassing all authentication<br />
checks in Torque. This attack machine may be located anywhere on the<br />
Internet, as long as it can connect to port 15001 on the server.<br />
<br />
Irrespective of this particular vulnerability, the EGI CSIRT strongly<br />
recommends that you always limit network connectivity to port 15001 to<br />
trusted hosts that need to contact it. This includes submit hosts<br />
(CEs), worker nodes and any other machines in the cluster that need<br />
to talk to the Torque server.<br />
<br />
Full details of the vulnerability are now available on the RedHat Bugzilla<br />
[R 1]<br />
<br />
This vulnerability has been assigned CVE-2011-2907<br />
<br />
Affected Software<br />
=================<br />
<br />
At least Torque versions 2.3.13, 2.4.12 and 3.0.1 are vulnerable,<br />
which are commonly used in the EGI infrastructure. Other versions<br />
might also be vulnerable.<br />
<br />
<br />
Mitigation<br />
==========<br />
<br />
Sites should carry out the following mitigating action. As always,<br />
please follow your change management procedure when making<br />
configuration change in your production environment.<br />
<br />
Step 1: put Torque server behind a firewall (but remember that your<br />
submit hosts and worker nodes need to be able to connect to<br />
it)<br />
<br />
Step 2: for each queue, make the following configuration change<br />
<br />
#Enable queue level host-based ACL<br />
set queue <queuename> acl_host_enable = True<br />
<br />
#Add a list of trusted hosts (such as your CEs) which can submit jobs to this<br />
queue set queue <queuename> acl_hosts = Trusted_CE1, trusted_CE2<br />
<br />
Step 3: test configuration change thoroughly before rolling it into<br />
your production system.<br />
<br />
<br />
Component Installation information<br />
==================================<br />
<br />
A patch is now available from RedHat EPEL<br />
<br />
They are detailed fully in the release notes:<br />
<br />
https://admin.fedoraproject.org/updates/torque-2.5.7-1.el4.1<br />
https://admin.fedoraproject.org/updates/torque-2.5.7-1.el5.1<br />
https://admin.fedoraproject.org/updates/torque-2.5.7-1.el6<br />
<br />
<br />
<br />
Recommendations<br />
===============<br />
<br />
Sites are strongly recommended to run Torque behind a firewall, in<br />
particular port 15001 should be restricted so that direct access to<br />
Torque from an untrusted host is not allowed.<br />
<br />
Sites should check the configuration and follow the mitigating action to<br />
prevent the expolitation of this vulnerability in the Torque software.<br />
<br />
Sites should upgrade as soon as is practical, and leave firewalling in place.<br />
<br />
<br />
Credit<br />
======<br />
<br />
This vulnerability was reported by Bartlomiej Balcerek of the Wroclaw Centre<br />
for Networking and Supercomputing Security Team.<br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://bugzilla.redhat.com/show_bug.cgi?id=713090<br />
<br />
Timeline<br />
========<br />
Yyyy-mm-dd<br />
<br />
2011-06-09 Vulnerability reported by Bartlomiej Balcerek, in addition to<br />
reporting to software providers.<br />
2011-06-09 Acknowledgement from the EGI SVG to the reporter<br />
2011-06-13 CSIRT members of SVG carried out further investigations and decided<br />
to recommend mitigating action.<br />
2011-06-14 Advisory drafted with recommended mitigation.<br />
2011-06-15 Advisory revised after further tests<br />
2011-06-16 Advisory sent to EGI sites and NGI security contacts<br />
2011-06-20 Update advisory sent to EGI sites and NGI security contacts<br />
2011-08-11 Patch available in EPEL, information made public and CVE assigned<br />
2011-08-15 Advisory revised<br />
</pre></div>Mingchao