exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

IBM Spectrum LSF Privilege Escalation

IBM Spectrum LSF Privilege Escalation
Posted Mar 16, 2018
Authored by John Fitzpatrick

A vulnerability was identified within IBM Spectrum LSF which made it was possible to impersonate other users when submitting jobs for execution. Additionally, it was found to be possible to impersonate and execute jobs as root, even where root job submission is disabled. Versions affected include 8.3, 9.1.1, 9.1.2, 9.1.3, 10.1, and 10.1.0.1.

tags | advisory, root
advisories | CVE-2017-1205
SHA-256 | 2efba7f49de16c0ab91885eec21b6040948eb64801f0eac0a8e9a23a88545d52

IBM Spectrum LSF Privilege Escalation

Change Mirror Download
###[IBM Spectrum LSF Privilege Escalation]###

* Software: IBM Spectrum LSF
* Affected Versions: IBM Spectrum LSF 8.3, 9.1.1, 9.1.2, 9.1.3, 10.1, 10.1.0.1
* CVE Reference: CVE-2017-1205
* Author: John Fitzpatrick (@j0hn__f)
* Severity: CVSS 9.3
* Vendor: IBM
* Vendor Response: Fixes provided
* Date: 2018-03-16


### Description

A vulnerability was identified within IBM Spectrum LSF which made it was possible to impersonate other users when submitting jobs for execution. Additionally, it was found to be possible to impersonate and execute jobs as root, even where root job submission is disabled.


### Impact

This vulnerability allows for arbitrary code execution as any user of the LSF cluster, including as root. Exploitation should only be possible from hosts listed within lsf.cluster.cluster_name, which typically will include all hosts that form part of the cluster. However, some cluster use cases may be more open using ranges or wildcards; thus, exposure may extend beyond those with cluster access.


### Cause

This issue arises as a result of series of security oversights within LSFs authentication mechanism:

1. A hardcoded key embedded within the eauth binary, which is shared across all LSF installations, makes it possible for anyone with a copy of eauth to generate authentication tokens for any user in a default installation.

2. Even where eauth is configured to use an external key (non-default), overriding getuid() results in the ability to generate authentication tokens as other users.

3. On receiving job requests, LSF performs authentication and authorisation checks against the authentication token, but then proceeds to submit the job for execution against a UID contained elsewhere in the message, which is not validated. It is this behaviour that circumvents controls that prevent root job execution.


### Interim Workaround

Configure eauth to use an external key and set the setuid bit on the eauth binary in order to prevent users from runtime patching the eauth binary.

Details on how to configure eauth to use an external key can be found here: https://www.ibm.com/support/knowledgecenter/en/SSWRJV_10.1.0/lsf_admin/ext_auth_kerb_lsf_about.html

Eauth can be configured with the setuid bit set in the following manner:
# chmod 4755 eauth

The guidance above does not resolve LSFs failure to validate the UID under which the job is run. However, unless an authentication token is disclosed, or another vulnerabilities exist, it should not be possible for a user to exploit this weakness without already having administrative rights within the cluster.


### Solution

IBM has provided some updates to address these issues, which can be found within their bulletin here:
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025091

These fixes do not configure LSF to utilise an external key which should be done by creating a key and setting LSF_EAUTH_KEY within lsf.sudoers:
https://www.ibm.com/support/knowledgecenter/en/SSETD4_9.1.2/lsf_config_ref/lsf.sudoers.5.html

At the time the updates were provided, they failed to set the setuid bit on eauth and so, failed to actually resolve a core part of the issue. However, the setuid bit is set on eauth by default in the most recent installations and can be set manually. It should be ensured that your eauth uses an external key, is root owned and has the setuid bit set (chmod 4755).

If eauth has been configured to use an external key, but with no setuid bit set, then a new key should be
generated.


### Detailed Timeline

Date Summary
2017-03-28 Issue reported to IBM PSIRT
2017-04-07 IBM report issue resolved, patches and security bulletin released
2017-04-12 Additional technical detail on fixes provided to MWR by IBM PSIRT
2018-03-16 Advisory published by MWR


### Further Information

Further details on eauth and how it works can be found here:
https://www.ibm.com/support/knowledgecenter/en/SSWRJV_10.1.0/lsf_admin/ext_auth_kerb_lsf_about.html

Information on setting up eauth to use an external key:
https://www.ibm.com/support/knowledgecenter/en/SSETD4_9.1.2/lsf_config_ref/lsf.sudoers.5.html

IBMs security bulletin relating to this issue can be found here:
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025091

The origional copy of this advisory can be found on the MWR Labs website here:
https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-ibm-lsf-priv-esc-2018-03-15.pdf
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close