what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Cray Aprun / Apinit Privilege Escalation

Cray Aprun / Apinit Privilege Escalation
Posted Feb 11, 2014
Authored by Luke Jennings, John Fitzpatrick | Site mwrinfosecurity.com

Apinit and aprun are utilities used to schedule tasks on Cray supercomputers. Apinit runs as a service on compute nodes and aprun is used to communicate with these nodes. The apinit service does not safely validate messages supplied to it through the use of aprun. Users of Cray systems are able to exploit this weakness in order to execute commands on the compute nodes of a Cray supercomputer as arbitrary users, including root (UID 0).

tags | exploit, arbitrary, root
advisories | CVE-2014-0748
SHA-256 | 35dc2988dfa5b20f94f03cac3407ffef1d10ffa10d1fe9bd41390ba183fc8f33

Cray Aprun / Apinit Privilege Escalation

Change Mirror Download
Cray Aprun/Apinit Privilege Escalation
======================================

MWR have identified a vulnerability which allows users to escalate their privileges to root on Cray supercomputers. This advisory details the vulnerability and the patches which Cray customers can apply in order to mitigate this issue.

[Software]: Aprun/apinit (Cray)
[Affected Versions]: This issue was resolved in CLE 5.1.UP00 & CLE 4.2.UP02
[CVE Reference]: CVE-2014-0748
[Authors]: John Fitzpatrick & Luke Jennings
[Severity]: High Risk
[Vendor]: Cray inc.
[Vendor Response]: Acknowledged, resolved, update provided

Description
===========
Apinit and aprun are utilities used to schedule tasks on Cray supercomputers. Apinit runs as a service on compute nodes, and aprun is used to communicate with these nodes.

The apinit service does not safely validate messages supplied to it through the use of aprun. Users of Cray systems are able to exploit this weakness in order to execute commands on the compute nodes of a Cray supercomputer as arbitrary users, including root (UID 0).

Impact
======
Successful exploitation allows code execution as root on a compute node.

Cause
=====
The vulnerability is caused due to a failure to appropriately validate the content of launch messages sent from the aprun utility.

Interim Workaround
==================
N/A, Cray have provided appropriate patches for this issue.

Solution
========
Cray have addressed this issue in CLE 5.1.UP00 and CLE 4.2.UP02. Applying these updates will mitigate this issue. The Cray ID for this issue is FN5912.

Technical Details
=================
On Cray supercomputers, the aprun command provides an interface for users to submit jobs for execution on compute nodes. An example of this is as follows:

gibson$ aprun <command>

When aprun is executed, it receives a placement list of nodes from the Application Level Placement Scheduler (ALPS) detailing the compute nodes available for execution of the job. On receiving this listing, aprun then sends a launch message to the apinit daemon running on the first compute node in this list. The launch message contains various pieces of information, including the user ID (UID) under which the job will be executed. However, it was found that apinit was not validating the UID received from within this message against the trusted UID received over the privileged alpsauth connection. As a result, when apinit forks its child process (referred to as the apshepherd or just shepherd process) to launch and manage the application, the application is run under the UID specified in this launch message.

The UID within the launch message is determined by a call to getuid(), and therefore is controllable by the calling user. For example, an attacker could patch the return value from this call at runtime as aprun executes. This attack can be performed by any user of the system to escalate privileges to any other system user.

Detailed Timeline
=================
Date Summary
19/07/2013 Issue reported to Cray
19/07/2013 Acknowledgement by Cray and further details provided
20/07/2013 Issue corrected and testing underway
25/07/2013 Testing completed, patch distributed to Cray customers

https://labs.mwrinfosecurity.com/advisories/2014/01/31/cray-aprunapinit-privilege-escalation/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close