[torqueusers] security advisory

Ken Nielson knielson at adaptivecomputing.com
Fri Sep 6 11:12:27 MDT 2013


*TORQUE Security Advisory - 6 September 2013*

*-------------------------------------------*


*Vulnerability:* A non-privileged user who can run jobs or login to a
node running
pbs_server or pbs_mom can submit an arbitrary job to the cluster; that job
can run as root. The user can submit a command directly to a pbs_mom daemon
to queue and run a job. A malicious user could use this vulnerability to
remotely execute code as root on the cluster.


*Versions Affected:* All versions of TORQUE


*Mitigating Factors:*

- The user must be logged in on a node that is already legitimately able to
contact pbs_mom daemons or submit jobs.

- If a user submits a job via this defect and pbs_server is running,
pbs_server will kill the job unless job syncing is disabled. It may take up
to 45 seconds for pbs_server to kill the job.

- There are no known instances of this vulnerability being exploited.


*Remedy: *All TORQUE users should patch their systems using the following
instructions:


For 2.5.x versions of TORQUE:

----------------------------

1. Download the patch file:

     $ wget
http://www.adaptivecomputing.com/torquepatch/fix_mom_priv_2.5.patch

2. Run the patch command in the root directory of the TORQUE source tree:

     $ patch -p1 < fix_mom_priv_2.5.patch

3. Recompile TORQUE:

     $ make

4. Install TORQUE:

     $ sudo make install

5. Restart pbs_mom (pbs_server is not affected)



For 4.x versions of TORQUE:

----------------------------

1. Download the patch file:

     $ wget http://www.adaptivecomputing.com/torquepatch/fix_mom_priv.patch

2. Run the patch command in the root directory of the TORQUE source tree:

     $ patch -p1 < fix_mom_priv.patch

3. Recompile TORQUE:

     $ make

4. Install TORQUE:

     $ sudo make install

5. Restart pbs_mom (pbs_server is not affected)


*What the Patch Does*: The patch checks that the connection to the pbs_mom
daemon is coming from a privileged port. This follows the security model
that only privileged users should be able to submit arbitrary jobs.


*Attribution*: This vulnerability was discovered by John Fitzpatrick of MWR
InfoSecurity. Matt Ezell of Oak Ridge National Laboratory assisted in
creating the patch. We thank these individuals for helping to improve
TORQUE.


If you have any further questions, please contact your Adaptive Computing
Support representative.



-- 
Ken Nielson
+1 801.717.3700 office +1 801.717.3738 fax
1712 S. East Bay Blvd, Suite 300  Provo, UT  84606
www.adaptivecomputing.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.supercluster.org/pipermail/torqueusers/attachments/20130906/6ea3f1ac/attachment.html 


More information about the torqueusers mailing list