Weak file permissions may exist on several files after specific debug settings are enabled in IBM Spectrum LSF in a Linux or Unix environment. This has the potential of privilege escalation by an attacker. CVE-2020-4278 is created for this.
Refer to the security bulletins(s) listed in the Remediation/Fixes section
Affected Product(s) | Version(s) |
---|---|
IBM Platform LSF | 9.1 |
IBM Spectrum LSF | 10.1 |
IBM Spectrum LSF Suites | 10.2 |
IBM Spectrum Computing Suite for High Performance Analytics | 10.2 |
Remove suid bit from these binaries by using “chmod -s <filename>” command: lsadmin, badmin, egosh, utmpreg.
The remediation will completely close the exploit. However, there will be the following limitations:
- Privileged ports cannot be used for LSF daemons. By default LSF does not use privileged ports.
- Cannot configure /etc/lsf.sudoers to enable non-root to start LSF daemons.
- Cannot configure /etc/ego.sudoers to enable non-root to start EGO.
- Cannot enable LSB_UTMP=Y in lsf.conf. By default it is not enabled.
No other functions are impacted and it has no impact on normal use of the cluster.
These limitations will be removed by a fix in upcoming LSF10.1.0.10.
See Above
CPE | Name | Operator | Version |
---|---|---|---|
ibm spectrum lsf | eq | 9.1 | |
ibm spectrum lsf | eq | 10.1 |