IBM7531915BB070FB4E45DCEBD4A0532A4C56DE8C2463FB7EC10D08F3ACABDC6E76Security Bulletin: Weak file permissions may exist in IBM Spectrum LSF Suite and IBM Spectrum LSF Suite for HPA in a Linux or Unix environment
0.0004 Low
EPSS
Percentile
5.1%
Summary
Weak file permissions may exist on several files after specific debug settings are enabled in IBM Spectrum LSF Suite and IBM Spectrum LSF Suite for HPA in a Linux or Unix environment. This has the potential of privilege escalation by an attacker. CVE-2020-4278 is created for this.
Vulnerability Details
Refer to the security bulletins(s) listed in the Remediation/Fixes section
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Spectrum Suite for HPA | 10.2 |
| IBM Spectrum LSF Suite | 10.2 |
Remediation/Fixes
Remove suid bit from these binaries by using “chmod -s <filename>” command: lsadmin, badmin, egosh, utmpreg.
The remediation will completely close the exploit. However, there will be the following limitations:
- Privileged ports cannot be used for LSF daemons. By default LSF does not use privileged ports.
- Cannot configure /etc/lsf.sudoers to enable non-root to start LSF daemons.
- Cannot configure /etc/ego.sudoers to enable non-root to start EGO.
- Cannot enable LSB_UTMP=Y in lsf.conf. By default it is not enabled.
No other functions are impacted and it has no impact on normal use of the cluster.
These limitations will be removed by a fix in upcoming LSF Suite 10.2.0.10 and LSF Suite for HPA 10.2.0.10.
Workarounds and Mitigations
See Above
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm spectrum lsf suite for workgroups | eq | 10.2 | |
| ibm spectrum lsf suite for hpa | eq | 10.2 | |
| ibm spectrum lsf suite for hpc | eq | 10.2 |
Related
0.0004 Low
EPSS
Percentile
5.1%