===============================================================================
Readme file for: IBM Spectrum LSF
Product/Component Release: 9.1.1 SAS
Update name: Fix 504499
Fix ID: Build 504499
Publication date: 31 October 2018
Last modified: 31 October 2018
D-APAR#: P102728
Abstract
The fix enhances LSF security of authorizing user credentials to prevent attacking by preloading getuid function. It addresses CVE-2018-1724.
Description
LSF uses an external authentication framework to secure user credentials for the data stream between LSF clients and servers. Addressed by CVE-2018-1724, there is an attacking method that, when submitting a job, users can preload the getuid and change the job user.
This defect was present and undetected for over ten years, even during previous third party security reviews. However, there are no reported instances of anyone having exploited this defect to change the job user.
This fix addresses CVE-2018-1724 by enhancing the eauth executable file to prevent the preloading of getuid to avoid the users changing their job user at job submission time. To prevent preloading in eauth entirely, this fix provides two new options for the hostsetup script.
A summary of the steps to apply this fix is as follows (for detailed steps, follow section 5, Installation and configuration):
1. Back up the original eauth file.
2. Copy the eauth.cve file to eauth in the LSF_SERVERDIR directory, making sure that the privileges are the same as before.
3. On each host, run hostsetup --ext-serverdir="ext_serverdir" --eauth-key=”your-eauth-key” with root privileges.
The new options that this fix introduces for the hostsetup script are: --ext-serverdir and --eauth-key.
--ext-serverdir: Specify the location of the eauth executable file.
must be accessible to the local host where hostsetup is running.
--eauth-key: Specify the key string. Running this command option
writes the following line to the /etc/lsf.sudoers file:
LSF_EAUTH_KEY="key"
The hostsetup --ext-serverdir command option performs the following actions:
1. Create a soft link from the cluster’s lsf.conf to /etc/lsf.conf,
2. Write values for the LSF_EXT_SERVERDIR, LSF_SERVERDIR, and LSF_ENV_OVERRIDE=N parameters to the /etc/lsf.conf file.
3. Copy eauth and esub* to the LSF_EXT_SERVERDIR directory, give it root privileges, and set the S bit to eauth.
LSF_ENV_OVERRIDE=N means that LSF will only use parameters values in /etc/lsf.conf, also LSF_SERVERDIR, LSF_BINDIR, LSF_LIBDIR must be defined.
If the LSF_EXT_SERVERDIR parameter is configured, LSF uses the eauth under this directory. Do not remove the eauth file in the LSF_SERVERDIR directory for compatibility reasons.
Because this issue does not impact Windows, eauth.cve.exe is the only file for Windows platforms. For Windows hosts, after patching this fix, shut down the LSF cluster, then rename eauth.exe to eauth.bak.exe, and eauth.cve.exe to eauth.exe, then start up the LSF cluster.
Sites that use LSF Kerberos authentication are not affected by this issue, but installing this fix addresses potential vulnerabilities if LSF Kerberos authentication is unavailable.
NOTES:
1. If ego feature is enabled, set EGO_SERVERDIR in the $EGO_CONFDIR/ego.conf
2. For the hostsetup --eauth-key command option, when using special characters, you must use an escape character before the special character, which is the same as other shell terminal input. For example: hostsetup --top="$LSF_TOP" --eauth-key="\&abdfef"
3. No security issue in pure windows cluster, Please do not apply Fix 504499 in pure windows cluster
IMPORTANT:
1. For SAS users, additional binaries are required to be obtained and applied to the environment to complete the fix.
===============================================================================
=========================
CONTENTS
=========================
1. Abbreviations
2. About IBM Spectrum LSF for SAS
3. Supported operating systems
4. Products or components affected
5. Installation and configuration for non-Windows
6. Installation and configuration for Windows
7. Copyright
=========================
1. Abbreviations
=========================
N/A
=========================
2. About IBM Spectrum LSF
=========================
The IBM Spectrum LSF ("LSF", short for load sharing facility) software is industry-leading enterprise-class software that distributes work across existing heterogeneous IT resources creating a shared, scalable, and fault-tolerant infrastructure, delivering faster, more reliable workload performance while reducing cost. LSF balances load and allocates resources, while providing access to those resources.
=========================
3. Supported operating systems
=========================
Linux2.6-glibc2.3-x86_64
win-x64
aix-64
hpuxia64
sparc-sol10-64
x86-64-sol10
=========================
4. Products or components affected
=========================
Affected components for non-Windows include: LSF/eauth.cve, LSF/hostsetup, LSF/lim, LSF/pim, LSF/mbatchd, LSF/mbschd, LSF/sbatchd, LSF/res, LSF/bsub, LSF/bmod, LSF/badmin, LSF/lsadmin, LSF/bmgroup, LSF/bstatus, LSF/bmig, LSF/bstop, LSF/bapp, LSF/lseligible, LSF/lsreconfig, LSF/lsreghost, LSF/lsfrestart, LSF/lsrtasks, LSF/bswitch, LSF/lsfshutdown, LSF/lsrun, LSF/bparams, LSF/btop, LSF/bbot, LSF/bpeek, LSF/bugroup, LSF/bchkpnt, LSF/bpost, LSF/busers, LSF/bclusters, LSF/lsfstartup, LSF/bconf, LSF/bqueues, LSF/bread, LSF/lsgrun, LSF/bgadd, LSF/lshosts, LSF/bgbroker, LSF/breconfig, LSF/egoconfig, LSF/lsid, LSF/bgdel, LSF/brequeue, LSF/egoenv, LSF/lsinfo, LSF/bgmod, LSF/bresize, LSF/egoexec, LSF/lsload, LSF/bgpinfo, LSF/bresources, LSF/lsloadadj, LSF/bhist, LSF/brestart, LSF/egosh, LSF/lslockhost, LSF/bhosts, LSF/bresume, LSF/lslogin, LSF/bhpart, LSF/brlainfo, LSF/bjdepinfo, LSF/brsvadd, LSF/bjgroup, LSF/brsvdel, LSF/bjobs, LSF/brsvmod, LSF/bkill, LSF/brsvs, LSF/lsacct, LSF/lsmon, LSF/blaunch, LSF/blimits, LSF/bsla, LSF/lsadmin, LSF/bmg, LSF/bslots, LSF/lsclusters, LSF/lsrcp, LSF/nios, LSF/melim, LSF/egosh, LSF/egosc LSF/schmod_demand.so, LSF/schmod_bluegene.so, LSF/schmod_cpuset.so, LSF/schmod_dist.so, LSF/schmod_jobweight.so, LSF/schmod_mc.so, LSF/schmod_pset.so, LSF/schmod_rms.so, LSF/schmod_xl.so, libbat.a, libbat.so, liblsf.a, liblsf.so, lsbatch.h, lsf.h
Affected components for Windows include:
LSF/eauth.cve.exe
=========================
5. Installation and Configuration for non-Windows
=========================
NOTE: Following steps take Linux platform as an example.
5.1 Before installation
(LSF_TOP=Full path to the top-level installation directory of LSF.)
1) Log on to the LSF master host as root
2) Set your environment:
- For csh or tcsh: % source LSF_TOP/conf/cshrc.lsf
- For sh, ksh, or bash: $ . LSF_TOP/conf/profile.lsf
5.2 Installation steps
Follow the complete installation procedure on every host to use LSF with non-shared file systems.
1) Uncompress the patch package lsf9.1.1_*-504499.tar.Z (for example lsf9.1.1_linux2.6-glibc2.3-x86_64-504499.tar.Z for Linux) to directory "./patch"
2) Backup and replace "LSF_TOP/9.1/include/lsf/* " with files from "./patch/include/lsf/* "
3) Backup and replace "LSF_TOP/9.1/install/hostsetup" with files from "./patch/install/hostsetup"
4) Backup and replace "$LSF_LIBDIR/* " with files from "./patch/linux2.6-glibc2.3-x86_64/lib/* "
5) Backup and replace "$LSF_BINDIR/* " with files from "./patch/linux2.6-glibc2.3-x86_64/bin/* "
6) Backup and replace "$LSF_SERVERDIR/* " with files from "./patch/linux2.6-glibc2.3-x86_64/etc/* "
NOTE:
Not all binaries under "$LSF_LIBDIR", "$LSF_BINDIR", "$LSF_SERVERDIR" are updated, for simple we just backup all the binaries in above steps.
5.3 After installation
1) Run badmin hshutdown all
2) Run lsadmin resshutdown all
3) Run lsadmin limshutdown all
4) Back up the eauth on all installed hosts as eauth.bak
5) Copy the eauth.cve to replace the eauth on all LSF hosts
6) Run chmod u+s $LSF_SERVERDIR/eauth to configure eauth as setuid to root
7) If cluster is a heterogenous cluster with shared installation, set LSF_LINK_PATH in $LSF_ENVDIR/lsf.conf to a local machine path
8) Run hostsetup --ext-serverdir --eauth-key to specify the security eauth path with root privileges.
9) Change LSF_SERVERDIR=$LSF_LINK_PATH/etc in $LSF_ENVDIR/lsf.conf
10) If ego feature is enabled, set EGO_SERVERDIR in the $EGO_CONFDIR/ego.conf
11) Run lsadmin limstartup all
12) Run lsadmin resstartup all
13) Run badmin hstartup all
=========================
6. Installation and Configuration for Windows
=========================
6.1 Before installation
None
6.2 Installation steps
1) Log on to the LSF master host as LSF cluster administrator
2) Run badmin hshutdown all
3) Run lsadmin resshutdown all
4) Run lsadmin limshutdown all
5) Log on to the Windows host as administrator
6) Copy the eauth.cve.exe in this fix to LSF_SERVERDIR on the Windows host
6.3 After installation
1) Log on to the Windows host as administrator
2) Backup the eauth.exe on the Windows host as eauth.bak.exe
3) Copy the eauth.cve.exe to replace the eauth.exe on the Windows host
4) Log on to the LSF master host as LSF cluster administrator
5) Run lsadmin limstartup all
6) Run lsadmin resstartup all
7) Run badmin hstartup all
=========================
7. Copyright
=========================
©Copyright IBM Corporation 2018
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM®, the IBM logo and ibm.com®, are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.