EGI CSIRT:Alerts/openpbs-23-10-2006

From EGIWiki
Jump to: navigation, search


| Mission | Members | Contacts
| Incident handling | Alerts | Monitoring | Security challenges | Procedures | Dissemination



------------------------------------------------------------------------
              EGEE Operational Security Coordination Team security alert

Critical vulnerability: OpenPBS/Torque.

Date:    October 23rd 2006
URL:     http://cern.ch/osct/alerts/openpbs-23-10-2006.txt
Rating:  extremely critical 
Affects: gLite <= 1.5, LCG <= 2.7.x, gLite <= 3.0.x.
------------------------------------------------------------------------

The Grid Security Vulnerability Group (GSVG) and the Operational
Security Coordination Team (OSCT) have been made aware of a security
flaw affecting Torque/OpenPBS.  This vulnerability permits a malicious
user to submit a job which can elevate the jobs privileges to root.
A user must first have the ability to submit jobs to an OpenPBS/Torque
system to exploit.  All systems running OpenPBS/Torque must upgrade
to the latest version of OpenPBS/Torque.

Original advisory:

Dear Site Admins and Security Contacts,

As announced earlier on today, Torque is currently affected by a
security flaw.  A patch is now out and all affected sites are invited
to upgrade immediately.

*******************************************************************
Torque/OpenPBS local root privilege escalation vulnerability

Grid Software Vulnerability Group Security Advisory

-- Date: 2006-10-20

-- Background
Torque/OpenPBS is the batch job manager that implements the mechanism
for job submission to the local computing nodes.

Pbs_mom is Torque/OpenPBS's component that manages the lifecycle
of batch jobs on the Worker Nodes and provides the node status to
the Torque/OpenPBS server part.

-- Affected Software
gLite <= 1.5, LCG <= 2.7.x, gLite <= 3.0.x.

-- Affected Components
All versions of OpenPBS and Torque are affected.

For gLite 3.x the affected meta-package are:

    glite-torque-client-config
    lcg-CE_torque
    glite-torque-server-config
    glite-CE

For LCG 2.x the affected meta-package is lcg-WN_torque.

For gLite 1.x the affected component is "Torque Client for the gLite
Worker Nodes".

EGEE Grid software installs torque-1.0.1p6 by default, but it is
known that sites tend to use newer versions of Torque or older
versions of OpenPBS. Such setups are also vulnerable.

-- Vulnerability Details
By creating a malicious symbolic link, a local attacker could easily
gain root privileges on any node running pbs_mom (typically
Worker Node).

The Torque/OpenPBS's pbs_mom is writing the output and error messages
from user jobs to predictable files using root privileges.

Unfortunately, Torque/OpenPBS is affected by a flaw that can enable
a malicious user to symlink to any file on the system from these
Torque/OpenPBS files, causing the output/error messages to be
appended to arbitrary files. As a result, it is possible for the
attacker to create, modify or execute arbitrary files on the system
with root privileges.

-- Grid Security Vulnerability Group Response
The Grid Security Vulnerability Group views this issue as EXTREMELY
CRITICAL and strongly recommends that all sites using Torque/OpenPBS
upgrade to the latest version of Torque/OpenPBS IMMEDIATELY, following
the directions of the "Installation Notes" section.

-- Further documentation
This advisory is also available at the following URL:

http://www.gridpp.ac.uk/gsvg/

-- Installation Notes
The following rpms have been made available;

torque-1.0.1p6-13.SL30X.st.i386.rpm
torque-clients-1.0.1p6-13.SL30X.st.i386.rpm
torque-devel-1.0.1p6-13.SL30X.st.i386.rpm
torque-resmom-1.0.1p6-13.SL30X.st.i386.rpm
torque-server-1.0.1p6-13.SL30X.st.i386.rpm

These are appropriate to fix what is distributed with gLite 3.0 and LCG-2_7_0.

They are available in the appropriate repositories for each distribution.

http://glitesoft.cern.ch/EGEE/gLite/APT/R3.0/rhel30/RPMS.updates/
http://grid-deployment.web.cern.ch/grid-deployment/gis/apt/LCG-2_7_0/sl3/en/i386/RPMS.lcg_sl3.security/

We are distributing the full rpm set, but please note that the
vulnerability is patched by upgrading the pbs_mom on the WNs. An
upgrade of the head node is not strictly required.

After the upgrade, please ensure that pbs_mom has restarted properly
(the rpm update should do this automatically).

-- Credit
This vulnerability was disclosed [1] in the BugTraq mailing list by
Luis Miguel Silva (ISPGaya). The vulnerability was reported to the
GSVG by Eygene Ryabinkin (RRC-KI).

-- Disclosure Timeline
2006-10-18 Vulnerability disclosed in the BugTraq list by Luis
           Miguel Silva (ISPGaya).
2006-10-20 Vulnerability reported to GSVG by Eygene Ryabinkin (RRC-KI)
2006-10-20 Initial response from the Grid Security Vulnerability Group
2006-10-20 OSCT notified of the vulnerability
2006-10-20 Initial patch provided by GSVG
2006-10-20 Updated sources available
2006-10-20 Updated LCG and gLite packages available
2006-10-20 Release preparation completed
2006-10-20 Public disclosure
2006-10-20 Site Admins and LCG Security Contacts notified

-- References
1. The original BugTraq thread:
http://www.securityfocus.com/archive/1/449248/30/0/threaded
*******************************************************************

Updated Torque packages have now been released and announced:

*******************************************************************
Dear all (or more specifically, administrators of sites using Torque 1)


The Grid Security Vulnerability Group have been notified of a
vulnerability which they have assessed and consequently classed as
"EXTREMELY CRITICAL".

This vulnerability exists in an external dependency of the gLite
middleware and as such would normally require a patch to come from the
providers of the external software.  However, by good fortune a patch is
available within the gLite middleware teams and this patch is now in the
repositories of the EGEE production and pre-production services.

To re-iterate; in the normal course of events, external packages are
distributed with the gLite middleware for convenience *only*.
Distribution of the external packages does *not* imply any
responsibility for this external software on the part of the gLite
middleware teams.  As the gLite middleware teams do not maintain the
external packages of the middleware, they will not normally create
patches for these external packages.  That they are doing so on this
occasion is a special, one-off event.

The details of the vulnerability and the update can be found here:

http://glite.web.cern.ch/glite/packages/R3.0/updates.asp

For more detailed information including fixed bugs, updated RPMs,
configuration changes and how to deploy, please go to the 'Details' link
next to each service on the 'Updates' web page.

All issues found with this update should be reported using GGUS:
www.ggus.org

Source

Parts of this article came from the OSCT wiki, this was written by the EGEE Operational Security Coordination Team.