IBM Support

Security Bulletin: Weak file permissions may exist in IBM Spectrum LSF in a Linux or Unix environment

Security Bulletin


Summary

Weak file permissions may exist on several files after specific debug settings are enabled in IBM Spectrum LSF in a Linux or Unix environment. This has the potential of privilege escalation by an attacker. CVE-2020-4278 is created for this.

Vulnerability Details

Refer to the security bulletins(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s) Version(s)
IBM Platform LSF 9.1
IBM Spectrum LSF 10.1
IBM Spectrum LSF Suites 10.2
IBM Spectrum Computing Suite for High Performance Analytics 10.2

Remediation/Fixes

Remove suid bit from these binaries by using "chmod -s <filename>" command: lsadmin, badmin, egosh, utmpreg.

The remediation will completely close the exploit. However, there will be the following limitations:
    - Privileged ports cannot be used for LSF daemons. By default LSF does not use privileged ports.
    - Cannot configure /etc/lsf.sudoers to enable non-root to start LSF daemons.
    - Cannot configure /etc/ego.sudoers to enable non-root to start EGO.
    - Cannot enable LSB_UTMP=Y in lsf.conf. By default it is not enabled.

No other functions are impacted and it has no impact on normal use of the cluster.
These limitations will be removed by a fix in upcoming LSF10.1.0.10.
 

Workarounds and Mitigations

See Above

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

The vulnerability was reported to IBM by Winston S.

Change History

21 Feb 2020: Initial Publication
26 Feb 2020: Update 'Workarounds and Mitigations'

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSWRJV","label":"IBM Spectrum LSF"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"9.1, 10.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
25 February 2020

UID

ibm13357549