what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

BeeGFS 7.1.3 Privilege Escalation

BeeGFS 7.1.3 Privilege Escalation
Posted Dec 5, 2019
Authored by John Fitzpatrick

BeeGFS versions 7.1.3 and below suffer from a privilege escalation vulnerability.

tags | advisory
advisories | CVE-2019-15897
SHA-256 | d30029c1850a3b316562ecfdf0823e70e5d8b72548aae0f53565d9c31f6d8df9

BeeGFS 7.1.3 Privilege Escalation

Change Mirror Download
============================================
BeeGFS Privilege Escalation (CVE-2019-15897)
============================================

* Software: BeeGFS
* Affected Versions: All versions upto and including 7.1.3
* Vendor: ThinkparQ
* CVE: CVE-2019-15897
* Severity: CVSS 9.6 (Critical) [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H]
* Author: John Fitzpatrick
* Date: 2019-12-04


Description
===========

BeeGFS is a "leading parallel cluster filesystem", used in many HPC environments. A vulnerability exists in a default installation of BeeGFS which allows users to perform operations which allow them to elevate their privileges and become root. This is due to a failure to properly authenticate a user when performing filesystem operations. BeeGFS deployments utilising the BeeGFS cloudformation template were also affected by this issue.

Installations which are making use of connection-based authentication, using the “connAuthFile” option to specify a shared key, are not affected by this issue if the shared key is only readable by root. Without a connAuthFile configured any host able to communicate with the BeeGFS cluster can become part of the cluster and mount the BeeGFS filesystem.

In order to resolve this issue BeeGFS users should configure connection-based authentication within their environment ensuring that the shared key is only readable by root. This will prevent non root users from exploiting this issue but will prevent non-root users from utilising utilities such as beegfs-ctl.


Solution / Workaround
=====================

This vulnerability can be mitigated by making use of the connAuthFile configuration option. This option, whilst intended to restrict which hosts can communicate with BeeGFS, can also be leveraged to prevent non root users from gaining root as a result of this weakness. This is done by setting the path to a shared key within the BeeGFS configuration file on each node. An example of this is shown below:

connAuthFile = /etc/beegfs/connauthfile

The contents of the connAuthFile can be anything but must be the same on each host as this is a shared key. If this key is readable by non-root users then it will be ineffective in preventing the attacks described above (although hosts without access to the key from joining the cluster), the key must be configured readable only by root:

$ ls -la /etc/beegfs/connauthfile
-rw------- 1 root root 640 Aug 28 02:29 /etc/beegfs/connauthfile

With the connAuthFile option configured BeeGFS will derive a 64 bit key from the file containing the secret and this value is used to authenticate the communication channels when they are initially established as well as any subsequent communication channels.

When configured communications which have not first authenticated with this key are ignored and silently dropped by the BeeGFS cluster.
This mitigation does prevents non-root users from using any BeeGFS utilities (beegfs-ctl, beegfs-check-servers, etc.).

No specific fix has been provided by BeeGFS for this vulnerability, therefore updating versions of BeeGFS will (currently) not resolve this issue. The workaround described above is the official supported recommendation from BeeGFS.

The BeeGFS cloudformation templates have been updated in order to make use of a shared key.


Timeline
========

2019-08-23: Issue reported to ThinkparQ
2019-08-26: Acknowledgement from ThinkparQ
2019-09-05: Details of proposed remediation from ThinkparQ and proposed disclosure date
2019-11-17: HPCsec pre-advisory published
2019-11-19: Confirmation that cloudformation templates have been updated
2019-12-04: Advisory published

=================================================
https://www.hpcsec.com/2019/12/04/cve-2019-15897/
=================================================

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close