exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

IBM GPFS / Spectrum Scale Command Injection

IBM GPFS / Spectrum Scale Command Injection
Posted Jun 8, 2016
Authored by John Fitzpatrick

IBM GPFS version 4.1.0.0 through 4.1.0.8 and 3.5.0.0 through 3.5.0.30 along with Spectrum Scale versions 4.2.0.0 through 4.2.0.2 and 4.1.1.0 through 4.1.1.6 suffer from a command injection vulnerability.

tags | advisory
advisories | CVE-2016-0392
SHA-256 | d5a184120f34553d5a3f070fe73506ebbb75681cf01c038a98e3fde9002113f4

IBM GPFS / Spectrum Scale Command Injection

Change Mirror Download
###[IBM GPFS / Spectrum Scale Command Injection]###

A command injection vulnerability in GPFS / Spectrum Scale allows attackers to escalate privileges to root

* Product: IBM GPFS / Spectrum Scale
* Severity: High
* CVE Reference: CVE-2016-0392
* Type: Command injection
* Author: John Fitzpatrick (@j0hn__f)
* Date: 2016-06-07


## Description

IBM’s General Parallel File System (GPFS), now known as Spectrum Scale, is affected by a vulnerability that allows an adversary on any system which mounts GPFS to inject commands which are later executed as root.


## Impact

Exploitation of this vulnerability allows any user of a system with a GPFS filesystem mounted to execute commands as root across the GPFS cluster.


## Cause

This is caused by a failure to safely handle arguments supplied to a number of setuid binaries.


## Affected Versions

IBM Spectrum Scale V4.2.0.0 thru V4.2.0.2
IBM Spectrum Scale V4.1.1.0 thru V4.1.1.6
IBM GPFS V4.1.0.0 thru V4.1.0.8
IBM GPFS V3.5.0.0 thru V3.5.0.30
All older IBM GPFS versions no longer supported


## Interim Workaround

IBM have provided patches in order to resolve this issue. It is recommended that these patches (described in the ‘Solution’ section below) are applied. However, if this is not possible some workarounds may also be applied:

Remove the setuid from the files in the /usr/lpp/mmfs/bin directory. These can be identified by running

ls -l /usr/lpp/mmfs/bin | grep r-s

Reset the setuid bit for each such file by issuing this command on each file

chmod u-s file

Once the workaround is applied, a number of commands may no longer work when not invoked by unprivileged users, including:

mmchfileset
mmcrsnapshot
mmdelsnapshot
mmdf
mmedquota
mmgetacl
mmlsdisk
mmlsfileset
mmlsfs
mmlsmgr
mmlspolicy
mmlspool
mmlsquota
mmlssnapshot
mmputacl
mmsnapdir

(These workarounds are taken from the IBM supplied advisory which can be found at: http://www-01.ibm.com/support/docview.wss?uid=isg3T1023763)

If the workarounds would not affect the usability of GPFS within your environment, then MWR recommend applying these workarounds in addition to the IBM supplied patches detailed below.


## Solution

IBM have provided fixes for this issue; however, MWR have not tested the effectiveness of these patches:

For IBM Spectrum Scale V4.2.0.0 thru V4.2.0.2, apply IBM Spectrum Scale V4.2.0.3 available from Fix Central at:
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.2.0&platform=All&function=all

For IBM Spectrum Scale V4.1.1.0 thru 4.1.1.6 and IBM GPFS V4.1.0.0 thru V4.1.0.8, apply V4.1.1.7 at:
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.1.1&platform=All&function=all

For IBM GPFS V3.5.0.0 thru V3.5.0.30, apply V3.5.0.31 at:
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%2Bsoftware&product=ibm/power/IBM+General+Parallel+File+System&release=3.5.0&platform=All&function=all

For older versions of IBM GPFS, if you have an extended service contract, please contact IBM Service.

(These solutions are taken from the IBM supplied advisory which can be found at: http://www-01.ibm.com/support/docview.wss?uid=isg3T1023763)


## Further Information

The IBM advisory relating to this issue can be found at the following location: http://www-01.ibm.com/support/docview.wss?uid=isg3T1023763

This issue is closely related to a format string issue in GPFS (CVE-2015-0197) found by Florian Grunwo and Felix Wilhelm of ERNW: http://www-01.ibm.com/support/docview.wss?uid=isg3T1022062

Further technical information may be released at a later date when users have had a chance to resolve this issue.


## Detailed Timeline

2016-04-02: Issue reported to vendor
2016-05-31: Patch and vendor advisory released
2016-06-07: MWR advisory released


## Advisory Information

The full MWRLabs maintained advisory can be found here: https://labs.mwrinfosecurity.com/advisories/ibm-gpfs-spectrum-scale-command-injection/


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close