paran-5UnqSh4Icw/LoDKTGw+ (Pär Lindfors)
2014-09-27 01:07:33 UTC
Hi,
The last two days a security vulnerability in bash have been getting a
lot of publicity. The CVE identifiers are CVE-2014-6271 and
CVE-2014-7169, in some places the problem is referred to as
"shellshock".
All major Linux distributions have released updated bash packages, so
make sure you upgrade right away if you have not done so already.
I first heard of this problem right after the Slurm user group meeting
had ended, while me and some other attendees were going up the funicular
in Lugano. BTW thanks everybody for a great meeting!
I then spent all of yesterday getting back home, and my colleagues had
already upgraded bash on our systems when I got there today. However I
have spent some time investigating if you can trigger this bug by using
Slurm. (with non-upgraded bash that is)
Turns out that Yes you can, in some configurations. The requirement is
that either PrologSlurmctld or EpilogSlurmctld is configured to a script
that is run by bash. In that case any user that can run a job can also
run commands as SlurmUser on the machine running slurmctld. The job name
is exported to PrologSlurmctld/EpilogSlurmctld in the environment
variable SLURM_JOB_NAME, so you simply submit a job with the exploit
code as the job name.
I have not found a way to directly obtain root access. Epilog and Prolog
are executed as root on compute nodes, but users don't control any of
the environment variables exported to those scripts.
Regards,
Pär Lindfors, NSC
The last two days a security vulnerability in bash have been getting a
lot of publicity. The CVE identifiers are CVE-2014-6271 and
CVE-2014-7169, in some places the problem is referred to as
"shellshock".
All major Linux distributions have released updated bash packages, so
make sure you upgrade right away if you have not done so already.
I first heard of this problem right after the Slurm user group meeting
had ended, while me and some other attendees were going up the funicular
in Lugano. BTW thanks everybody for a great meeting!
I then spent all of yesterday getting back home, and my colleagues had
already upgraded bash on our systems when I got there today. However I
have spent some time investigating if you can trigger this bug by using
Slurm. (with non-upgraded bash that is)
Turns out that Yes you can, in some configurations. The requirement is
that either PrologSlurmctld or EpilogSlurmctld is configured to a script
that is run by bash. In that case any user that can run a job can also
run commands as SlurmUser on the machine running slurmctld. The job name
is exported to PrologSlurmctld/EpilogSlurmctld in the environment
variable SLURM_JOB_NAME, so you simply submit a job with the exploit
code as the job name.
I have not found a way to directly obtain root access. Epilog and Prolog
are executed as root on compute nodes, but users don't control any of
the environment variables exported to those scripts.
Regards,
Pär Lindfors, NSC