=============================================================================== Readme file for: IBM Platform LSF for SAS Product/Component Release: 9.1.1.1 SAS Update name: Fix 447801 Fix ID: LSF-9.1.1.1-build447801 Publication date: 29 Aug 2017 Last modified: 29 Aug 2017 APAR: P102180 Abstract The fix enhances LSF security of authorizing user credentials for the data stream between LSF clients and servers. It addresses CVE-2017-1205. Description LSF uses an external authentication framework to secure user credentials for the data stream between LSF clients and servers. By default, LSF provides an eauth executable file, which takes a static authorization key to encrypt the data. As part of the installation process, changing the default key is important to prevent unauthorized access. However, many sites do not change this default key and are therefore vulnerable to CVE-2017-1205. This defect was present and undetected for over ten years, even during previous third party security reviews. There are no reported instances of anyone having exploited this defect to gain root privileges. This fix addresses CVE-2017-1205 by enhancing the default eauth executable file to automatically generate site-specific keys, and is available for all supported versions of LSF on all supported operating systems. Sites that use LSF Kerberos authentication are not affected by this issue, but installing this fix addresses potential vulnerabilities if LSF Kerberos authentication is unavailable. This fix consists of two parts: 1. MANDATORY: Update mbatchd, sbatchd, res, lsadmin, and badmin binary files. These updates address the potential root exploit. 2. RECOMMENDED: Replace the default eauth executable file with eauth.cve. This update addresses the potential replay attack. You must replace the eauth executable file on all hosts simultaneously, which requires LSF to be shut down. Default eauth executable The new default eauth executable file is enhanced to automatically generate a site-specific key by using 128-bit AES encryption. The new eauth executable file is named as eauth.cve in the fix. It can be directly replaced the default eauth executable file for the authentication between LSF clients and servers in the same LSF cluster. You must replace all binary files to fully address CVE-2017-1205. To ensure that you correctly enable the enhancements in your LSF clusters, check the following: 1) The new eauth executable file rejects LSF requests from the host with the UTC time offset of more than 5 minutes compared with the server host. 2) You must install the new eauth executable file to all LSF hosts in the LSF cluster to work together. Otherwise, LSF commands that run on the hosts without the new eauth executable file will encounter authentication problems. 3) The enhancements do not support LSF distributions earlier than Version 8.3. If there are any LSF hosts that are running these earlier versions of LSF, the entire whole LSF cluster cannot apply the new eauth executable file as the default eauth method. If you are using earlier version of LSF, use LSF Kerberos authentication or your own authentication method. IMPORTANT: If you are using IBM Platform RTM, you must also patch IBM Platform RTM to work with the newly patched LSF. The eauth fix for IBM Platform Process Manager is not mandatory and fixes a separate issue in IBM Platform Process Manager. =============================================================================== ========================= CONTENTS ========================= 1. Abbreviations 2. About IBM Platform LSF 3. Supported operating systems 4. Products or components affected 5. Installation and Configuration 6. Copyright ========================= 1. Abbreviations ========================= N/A ========================= 2. About IBM Platform LSF ========================= The IBM Platform LSF ("LSF", short for load sharing facility) software is industry-leading enterprise-class software that distributes work across existing heterogeneous IT resources creating a shared, scalable, and fault-tolerant infrastructure, delivering faster, more reliable workload performance while reducing cost. LSF balances load and allocates resources, while providing access to those resources. ========================= 3. Supported operating systems ========================= SLES 10/11, RHEL 5/6/7 x86_64 AIX 6/7, 64-bit ========================= 4. Products or components affected ========================= LSF/eauth, LSF/mbatchd, LSF/sbatchd, LSF/res, LSF/badmin, LSF/lsadmin, LSF/sec_ego_default.so ========================= 5. Installation and Configuration ========================= (LSF_TOP=Full path to the top-level installation directory of LSF.) Follow the steps in section 5.1 or section 5.2 depending on whether you want to apply only the mandatory portion of the Fix, or the entire Fix. 5.1 To only apply the mandatory part of the Fix ------------------------------------------------ 1. Log on to the LSF master host as root, and set up the environment: - For csh or tcsh: % source LSF_TOP/conf/cshrc.lsf - For sh, ksh, or bash: $ . LSF_TOP/conf/profile.lsf 2. Shut down the LSF cluster with the following commands: badmin hshutdown all lsadmin resshutdown all lsadmin limshutdown 3. Back up the following files in your existing installation: - $LSF_SERVERDIR/mbatchd - $LSF_SERVERDIR/sbatchd - $LSF_SERVERDIR/res - $LSF_SERVERDIR/../bin/badmin - $LSF_SERVERDIR/../bin/lsadmin - $LSF_SERVERDIR/../lib/sec_ego_default.so 4. Copy files from the Fix directory to your current installation. - Copy mbatchd in this Fix to $LSF_SERVERDIR/mbatchd - Copy sbatchd in this Fix to $LSF_SERVERDIR/sbatchd - Copy res in this Fix to $LSF_SERVERDIR/res - Copy badmin in this Fix to $LSF_SERVERDIR/../bin/badmin Run chmod u+s $LSF_SERVERDIR/../bin/badmin to configure badmin as setuid to root - Copy lsadmin in this Fix to $LSF_SERVERDIR/../bin/lsadmin Run chmod u+s $LSF_SERVERDIR/../bin/lsadmin to configure lsadmin as setuid to root - Copy sec_ego_default.so in this Fix to $LSF_SERVERDIR/../lib/sec_ego_default.so 5. Log on to the LSF master host as root, and start the LSF cluster with the following commands: lsadmin limstartup lsadmin resstartup all badmin hstartup all 5.2 To apply the entire Fix ----------------------------------- 1. Log on to the LSF master host as root, and shut down the LSF cluster: a. Set your environment: - For csh or tcsh: % source LSF_TOP/conf/cshrc.lsf - For sh, ksh, or bash: $ . LSF_TOP/conf/profile.lsf b. Shut down the LSF cluster with the following commands: badmin hshutdown all lsadmin resshutdown all lsadmin limshutdown 2. Back up the following files in your existing installation: - $LSF_SERVERDIR/eauth - $LSF_SERVERDIR/mbatchd - $LSF_SERVERDIR/sbatchd - $LSF_SERVERDIR/res - $LSF_SERVERDIR/../bin/badmin - $LSF_SERVERDIR/../bin/lsadmin - $LSF_SERVERDIR/../lib/sec_ego_default.so 3. Copy files from the Fix directory to your current installation. - Copy eauth.cve in this Fix to $LSF_SERVERDIR/eauth Run chmod u+s $LSF_SERVERDIR/eauth to configure eauth as setuid to root - Copy mbatchd in this Fix to $LSF_SERVERDIR/mbatchd - Copy sbatchd in this Fix to $LSF_SERVERDIR/sbatchd - Copy res in this Fix to $LSF_SERVERDIR/res - Copy badmin in this Fix to $LSF_SERVERDIR/../bin/badmin Run chmod u+s $LSF_SERVERDIR/../bin/badmin to configure badmin as setuid to root - Copy lsadmin in this Fix to $LSF_SERVERDIR/../bin/lsadmin Run chmod u+s $LSF_SERVERDIR/../bin/lsadmin to configure lsadmin as setuid to root - Copy sec_ego_default.so in this Fix to $LSF_SERVERDIR/../lib/sec_ego_default.so 4. Log on to the LSF master host as root, and start up the LSF cluster with the following commands: lsadmin limstartup lsadmin resstartup all badmin hstartup all ========================= 6. Copyright ========================= ©Copyright IBM Corporation 2017 U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM®, the IBM logo and ibm.com®, are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.