[Triumf-linux-managers] Torque/OpenPBS local root privilege escalation vulnerability (fwd)

Wed Oct 25 10:58:43 PDT 2006

Renee asked me to forward this notice to the list; it concerns 
a vulnerability in torque/openpbs.

Other links concerning this vulnerability:
http://glite.web.cern.ch/glite/packages/R3.0/updates.asp
http://csirt.fe.up.pt/docs/TORQUE-audit.pdf

Apparently PBS-pro is also affected by this vulnerability; GridKa
shut down batch processing for the weekend, waiting for a patch
from the provider.

  cheers,
   denice

---------- Forwarded message ----------
Date: Fri, 20 Oct 2006 19:58:58 +0200
From: EGEE BROADCAST <egee-broadcast at cern.ch>
To: project-lcg-security-contacts at cern.ch
Subject: Torque/OpenPBS local root privilege escalation vulnerability

This email has been sent in copy mode
  From : Romain.Wartel at cern.ch
  Cc : project-lcg-security-contacts at cern.ch
------------------------------------------------------------------------------------
Publication from : Romain Wartel <Romain.Wartel at cern.ch> ()
This mail has been sent using the broadcasting tool available at http://cic.in2p3.fr
------------------------------------------------------------------------------------

Dear Site Admins and Security Contacts,

As announced earlier on today, Torque is currently affected by a security flaw.
A patch is now out and all affected sites are invited to upgrade immediately.

=============================================================================
Torque/OpenPBS local root privilege escalation vulnerability

Grid Software Vulnerability Group Security Advisory

-- Date: 2006-10-20

-- Background
Torque/OpenPBS is the batch job manager that implements the mechanism
    for job submission to the local computing nodes.

Pbs_mom is Torque/OpenPBS's component that manages the lifecycle of
    batch jobs on the Worker Nodes and provides the node status to the
    Torque/OpenPBS server part.

-- Affected Software
gLite <= 1.5, LCG <= 2.7.x, gLite <= 3.0.x.

-- Affected Components
All versions of OpenPBS and Torque are affected.

For gLite 3.x the affected meta-package are:

     glite-torque-client-config
     lcg-CE_torque
     glite-torque-server-config
     glite-CE

For LCG 2.x the affected meta-package is lcg-WN_torque.

For gLite 1.x the affected component is "Torque Client for the gLite
    Worker Nodes".

EGEE Grid software installs torque-1.0.1p6 by default, but it is known
    that sites tend to use newer versions of Torque or older versions of
    OpenPBS. Such setups are also vulnerable.

-- Vulnerability Details
By creating a malicious symbolic link, a local attacker could easily gain
    root privileges on any node running pbs_mom (typically Worker Node).

The Torque/OpenPBS's pbs_mom is writing the output and error messages
    from user jobs to predictable files using root privileges.

Unfortunately, Torque/OpenPBS is affected by a flaw that can enable
    a malicious user to symlink to any file on the system from these
    Torque/OpenPBS files, causing the output/error messages to be appended
    to arbitrary files. As a result, it is possible for the attacker to
    create, modify or execute arbitrary files on the system with root
    privileges.

-- Grid Security Vulnerability Group Response The Grid Security
    Vulnerability Group views this issue as EXTREMELY CRITICAL and strongly
    recommends that all sites using Torque/OpenPBS upgrade to the latest
    version of Torque/OpenPBS IMMEDIATELY, following the directions of the
    "Installation Notes" section.

-- Further documentation
This advisory is also available at the following URL:

http://www.gridpp.ac.uk/gsvg/

-- Installation Notes
The following rpms have been made available;

torque-1.0.1p6-13.SL30X.st.i386.rpm
torque-clients-1.0.1p6-13.SL30X.st.i386.rpm
torque-devel-1.0.1p6-13.SL30X.st.i386.rpm
torque-resmom-1.0.1p6-13.SL30X.st.i386.rpm
torque-server-1.0.1p6-13.SL30X.st.i386.rpm

These are appropriate to fix what is distributed with gLite 3.0 and LCG-2_7_0.

They are available in the appropriate repositories for each distribution.

http://glitesoft.cern.ch/EGEE/gLite/APT/R3.0/rhel30/RPMS.updates/
http://grid-deployment.web.cern.ch/grid-deployment/gis/apt/LCG-2_7_0/sl3/en/i386/RPMS.lcg_sl3.security/

We are distributing the full rpm set, but please note that the
    vulnerability is patched by upgrading the pbs_mom on the WNs. An
    upgrade of the head node is not strictly required.

After the upgrade, please ensure that pbs_mom has restarted properly
    (the rpm update should do this automatically).

-- Credit
This vulnerability was disclosed[1] in the BugTraq mailing list by Luis
    Miguel Silva (ISPGaya). The vulnerability was reported to the GSVG
    by Eygene Ryabinkin (RRC-KI).

-- Disclosure Timeline
2006-10-18 Vulnerability disclosed in the BugTraq list by Luis Miguel Silva (ISPGaya).
2006-10-20 Vulnerability reported to GSVG by Eygene Ryabinkin (RRC-KI)
2006-10-20 Initial response from the Grid Security Vulnerability Group
2006-10-20 OSCT notified of the vulnerability
2006-10-20 Initial patch provided by GSVG
2006-10-20 Updated sources available
2006-10-20 Updated LCG and gLite packages available
2006-10-20 Release preparation completed
2006-10-20 Public disclosure
2006-10-20 Site Admins and LCG Security Contacts notified

-- References
1. The original BugTraq thread:
http://www.securityfocus.com/archive/1/449248/30/0/threaded
=============================================================================

Regards,
Romain, on behalf of the Operational Security Coordination Team.

-- 
Romain Wartel                           Romain.Wartel at cern.ch
C.E.R.N.                                http://www.cern.ch/LCG
Information Technology Division         http://cern.ch/security
Bat.28-R-1-012
CH-1211 Geneva 23, Switzerland