IBM29379471730E2FE548260B5B5444DBC5BE3EEEDFDCAC8213E8BB61E1B211B136Security Bulletin: Weak file permissions may exist in IBM Spectrum LSF in a Linux or Unix environment
0.0004 Low
EPSS
Percentile
5.1%
Summary
Weak file permissions may exist on several files after specific debug settings are enabled in IBM Spectrum LSF in a Linux or Unix environment. This has the potential of privilege escalation by an attacker. CVE-2020-4278 is created for this.
Vulnerability Details
Refer to the security bulletins(s) listed in the Remediation/Fixes section
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Platform LSF | 9.1 |
| IBM Spectrum LSF | 10.1 |
| IBM Spectrum LSF Suites | 10.2 |
| IBM Spectrum Computing Suite for High Performance Analytics | 10.2 |
Remediation/Fixes
Remove suid bit from these binaries by using “chmod -s <filename>” command: lsadmin, badmin, egosh, utmpreg.
The remediation will completely close the exploit. However, there will be the following limitations:
- Privileged ports cannot be used for LSF daemons. By default LSF does not use privileged ports.
- Cannot configure /etc/lsf.sudoers to enable non-root to start LSF daemons.
- Cannot configure /etc/ego.sudoers to enable non-root to start EGO.
- Cannot enable LSB_UTMP=Y in lsf.conf. By default it is not enabled.
No other functions are impacted and it has no impact on normal use of the cluster.
These limitations will be removed by a fix in upcoming LSF10.1.0.10.
Workarounds and Mitigations
See Above
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm spectrum lsf | eq | 9.1 | |
| ibm spectrum lsf | eq | 10.1 |
Related
0.0004 Low
EPSS
Percentile
5.1%