===============================================================================

Readme file for: IBM Spectrum LSF


Product/Component Release: 10.1.0.6 SAS

Update name: Fix 502520

Fix ID: Build 502520

Publication date: 28 September 2018

Last modified: 28 September 2018

D-APAR#: P102728

This update fixes the following problem:

The fix enhances LSF security of authorizing user credentials to prevent attacking by preloading getuid function. It addresses CVE-2018-1724.


LSF uses an external authentication framework to secure user credentials for the data stream between LSF clients and servers. Addressed by CVE-2018-1724, there is an attacking method that, when submitting a job, users can preload the getuid and change the job user.


This defect was present and undetected for over ten years, even during previous third party security reviews. However, there are no reported instances of anyone having exploited this defect to change the job user.


This fix addresses CVE-2018-1724 by enhancing the eauth executable file to prevent the preloading of getuid to avoid the users changing their job user at job submission time. To prevent preloading in eauth entirely, this fix provides two new options for the hostsetup script.



A summary of the steps to apply this fix is as follows (for detailed steps, follow section 5, Installation and configuration):

  1. Back up the original eauth file.

  2. Copy the eauth.cve file to eauth in the LSF_SERVERDIR directory, making sure that the privileges are the same as before.

  3. On each host, run hostsetup --ext-serverdir="ext_serverdir"
    --eauth-key="your-eauth-key" with root privileges.


The new options that this fix introduces for the hostsetup script are: --ext-serverdir and --eauth-key.
--ext-serverdir: Specify the location of the eauth executable file.
  <dir> must be accessible to the local host where hostsetup is running.

--eauth-key: Specify the key string. Running this command option writes the following line to the /etc/lsf.sudoers file:

LSF_EAUTH_KEY="key"

The hostsetup --ext-serverdir command option performs the following actions:

  1. Create a soft link from the cluster"s lsf.conf to /etc/lsf.conf,
  2. Write values for the LSF_EXT_SERVERDIR, LSF_SERVERDIR, and LSF_ENV_OVERRIDE=N parameters to the /etc/lsf.conf file.
  3. Copy eauth and esub* to the LSF_EXT_SERVERDIR directory, give it root privileges, and set the S bit to eauth.
    LSF_ENV_OVERRIDE=N means that LSF will only use parameters values in /etc/lsf.conf, also LSF_SERVERDIR, LSF_BINDIR, LSF_LIBDIR must be defined.
    If the LSF_EXT_SERVERDIR parameter is configured, LSF uses the eauth under this directory. Do not remove the eauth file in the LSF_SERVERDIR directory for compatibility reasons.

Because this issue does not impact Windows, eauth.cve.exe is the only file for Windows platforms. For Windows hosts, after patching this fix, shut down the LSF cluster, then rename eauth.exe to eauth.bak.exe, and eauth.cve.exe to eauth.exe, then start up the LSF cluster.


Sites that use LSF Kerberos authentication are not affected by this issue, but installing this fix addresses potential vulnerabilities if LSF Kerberos authentication is unavailable.


NOTES:

  1. If ego feature is enabled, set EGO_SERVERDIR in the $EGO_CONFDIR/ego.conf
  2. For the hostsetup --eauth-key command option, when using special characters, you must use an escape character before the special character, which is the same as other shell terminal input.
    For example: hostsetup --top="$LSF_TOP" --eauth-key="\&abdfef"
  3. No security issue in pure windows cluster, Please do not apply Fix 502520 in pure windows cluster


IMPORTANT:

For SAS users, additional binaries are required to complete the fix.

  1. A fix for this issue for SAS Threaded Kernel Grid 9.4_M6 is available at:
    https://tshf.sas.com/techsup/download/hotfix/HF2/D9W.html#63474

  2. A fix for this issue for SAS Workload Orchestrator 9.46 is available at:
    https://tshf.sas.com/techsup/download/hotfix/HF2/E3Y.html#63474

  3. A fix for this issue for SAS Threaded Kernel Grid 9.4_M5 is available at:
    https://tshf.sas.com/techsup/download/hotfix/HF2/B5L.html#63474

  4. A fix for this issue for SAS Threaded Kernel Grid 9.4_M4 is available at:
    https://tshf.sas.com/techsup/download/hotfix/HF2/A5G.html#63474

  5. A fix for this issue for SAS Threaded Kernel Grid 9.4_M3 is available at:
    https://tshf.sas.com/techsup/download/hotfix/HF2/V72.html#63474
===============================================================================

=========================
CONTENTS
=========================
1. Abbreviations
2. About IBM Spectrum LSF for SAS
3. Supported operating systems
4. Products or components affected
5. Installation and configuration for non-Windows
6. Installation and configuration for Windows
7. Copyright

=========================
1. Abbreviations
=========================
N/A

=========================
2. About IBM Spectrum LSF
=========================
The IBM Spectrum LSF ("LSF", short for load sharing facility) software is industry-leading enterprise-class software that distributes work across existing heterogeneous IT resources creating a shared, scalable, and fault-tolerant infrastructure, delivering faster, more reliable workload performance while reducing cost. LSF balances load and allocates resources, while providing access to those resources.

=========================
3. Supported operating systems
=========================
Linux2.6-glibc2.3-x86_64
win-x64
aix-64
hpuxia64
sparc-sol10-64
x86-64-sol10

=========================
4. Products or components affected
=========================

Affected components for non-Windows include:

LSF/eauth.cve, LSF/hostsetup, LSF/lim, LSF/pim, LSF/mbatchd, LSF/mbschd, LSF/sbatchd, LSF/res, LSF/bsub, LSF/bmod, LSF/badmin, LSF/lsadmin, LSF/bmgroup, LSF/bstatus LSF/bmig, LSF/bstop, LSF/bapp, LSF/lseligible, LSF/lsreconfig, LSF/lsreghost, LSF/lsfrestart,LSF/lsrtasks, LSF/bswitch, LSF/lsfshutdown, LSF/lsrun, LSF/bparams, LSF/btop, LSF/bbot, LSF/bpeek, LSF/bugroup, LSF/bchkpnt, LSF/bpost, LSF/busers, LSF/bclusters, LSF/lsfstartup, LSF/bconf, LSF/bqueues, LSF/bread, LSF/lsgrun, LSF/bgadd, LSF/lshosts, LSF/bgbroker, LSF/breconfig, LSF/egoconfig, LSF/lsid, LSF/bgdel, LSF/brequeue, LSF/egoenv, LSF/lsinfo, LSF/bgmod, LSF/bresize, LSF/egoexec, LSF/lsload, LSF/bgpinfo, LSF/bresources, LSF/lsloadadj, LSF/bhist, LSF/brestart, LSF/egosh, LSF/lslockhost, LSF/bhosts, LSF/bresume, LSF/lslogin, LSF/bhpart, LSF/brlainfo, LSF/bjdepinfo, LSF/brsvadd, LSF/bjgroup, LSF/brsvdel, LSF/bjobs, LSF/brsvmod, LSF/bkill, LSF/brsvs, LSF/lsacct, LSF/lsmon, LSF/blaunch, LSF/blimits, LSF/bsla, LSF/lsadmin, LSF/bmg, LSF/bslots, LSF/lsclusters, LSF/lsrcp, LSF/nios, LSF/melim, LSF/egosh, LSF/egosc LSF/schmod_demand.so LSF/schmod_bluegene.so, LSF/schmod_cpuset.so LSF/schmod_dist.so LSF/schmod_jobweight.so LSF/schmod_mc.so LSF/schmod_pset.so LSF/schmod_rms.so LSF/schmod_xl.so libbat.a libbat.so liblsf.a liblsf.so lsbatch.h lsf.h


Affected components for Windows include:
LSF/eauth.cve.exe

=========================
5. Installation and configuration for non-Windows
=========================
5.1 Before installation
(LSF_TOP=Full path to the top-level installation directory of LSF.)
1) Log on to the LSF master host as root
2) Set your environment:
- For csh or tcsh: % source LSF_TOP/conf/cshrc.lsf
- For sh, ksh, or bash: $ . LSF_TOP/conf/profile.lsf
5.2 Installation steps
Follow the complete installation procedure on every host to use LSF with non-shared file systems.
1) Go to the patch install directory: cd $LSF_ENVDIR/../10.1/install/
2) Copy the patch file to the install directory $LSF_ENVDIR/../10.1/install/
3) Run patchinstall: ./patchinstall <patch>
5.3 After installation
1) Run badmin hshutdown all
2) Run lsadmin resshutdown all
3) Run lsadmin limshutdown all
4) Back up the eauth on all installed hosts as eauth.bak
5) Copy the eauth.cve to replace the eauth on all LSF hosts
6) Run chmod u+s $LSF_SERVERDIR/eauth to configure eauth as setuid to root
7) If cluster is a heterogenous cluster with shared installation, set LSF_LINK_PATH in $LSF_ENVDIR/lsf.conf to a local machine path
8) Run hostsetup --ext-serverdir --eauth-key to specify the security eauth path with root privileges.
9) Change LSF_SERVERDIR=$LSF_LINK_PATH/etc in $LSF_ENVDIR/lsf.conf
10) If ego feature is enabled, set EGO_SERVERDIR in the $EGO_CONFDIR/ego.conf
11) Run lsadmin limstartup all
12) Run lsadmin resstartup all
13) Run badmin hstartup all
5.4 Uninstallation
1) Run badmin hshutdown all
2) Run lsadmin resshutdown all
3) Run lsadmin limshutdown all
4) Go to the patch install directory: cd $LSF_ENVDIR/../10.1/install/, run ./patchinstall -r <patch>
5) Replace eauth with the backup eauth.bak on all LSF hosts
6) Run chmod u+s $LSF_SERVERDIR/eauth to configure eauth as setuid to root
7) Remove /etc/lsf.conf on each host, and comment out LSF_EXT_SERVERDIR LSF_ENV_OVERRIDE LSF_SERVERDIR in $LSF_ENVDIR/lsf.conf
8) Remove eauth key from the /etc/lsf.sudoers
9) Run lsadmin limstartup all
10) Run lsadmin resstartup all
11) Run badmin hstartup all

=========================
6. Installation and configuration for Windows
=========================
6.1 Before installation
None
6.2 Installation steps
1) Log on to the LSF master host as LSF cluster administrator
2) Run badmin hshutdown all
3) Run lsadmin resshutdown all
4) Run lsadmin limshutdown all
5) Log on to the Windows host as administrator, install the Windows patch
6.3 After installation
1) Log on to the Windows host as administrator
2) Backup the eauth.exe on the Windows host as eauth.bak.exe
3) Copy the eauth.cve.exe to replace the eauth.exe on the Windows host
4) Log on to the LSF master host as LSF cluster administrator
5) Run lsadmin limstartup all
6) Run lsadmin resstartup all
7) Run badmin hstartup all
6.4 Uninstallation
1) Log on to the LSF master host as LSF cluster administrator.
2) Run badmin hshutdown all
3) Run lsadmin resshutdown all
4) Run lsadmin limshutdown all
5) Log on to the Windows host as administrator, remove the patch installation from the Windows control panel on the Windows host
6) Replace eauth.exe with the backup eauth.bak.exe on the Windows host
7) Log on to the LSF master host as LSF cluster administrator.
8) Run lsadmin limstartup all
9) Run lsadmin resstartup all
10) Run badmin hstartup all

=========================
7. Copyright
=========================
©Copyright IBM
Corporation 2018

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM®, the IBM logo and ibm.com®, are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.