Weak file permissions may exist on several files after specific debug settings are enabled in IBM Spectrum LSF in a Linux or Unix environment. This has the potential of privilege escalation by an attacker. CVE-2020-4278 is created for this.
Affected Products and Versions
|IBM Platform LSF||9.1|
|IBM Spectrum LSF||10.1|
|IBM Spectrum LSF Suites||10.2|
|IBM Spectrum Computing Suite for High Performance Analytics||10.2|
The remediation will completely close the exploit. However, there will be the following limitations:
- Privileged ports cannot be used for LSF daemons. By default LSF does not use privileged ports.
- Cannot configure /etc/lsf.sudoers to enable non-root to start LSF daemons.
- Cannot configure /etc/ego.sudoers to enable non-root to start EGO.
- Cannot enable LSB_UTMP=Y in lsf.conf. By default it is not enabled.
No other functions are impacted and it has no impact on normal use of the cluster.
These limitations will be removed by a fix in upcoming LSF10.1.0.10.
Workarounds and Mitigations
Get Notified about Future Security Bulletins
The vulnerability was reported to IBM by Winston S.
21 Feb 2020: Initial Publication
26 Feb 2020: Update 'Workarounds and Mitigations'
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
25 February 2020