Readme for 445809

IBM Platform LSF 9.1.3 Fix 445809 Readme File

Abstract

P102108. The fix enhances LSF security of authorizing user credentials for the data stream between LSF clients and servers. It addresses CVE-2017-1205.

Description

LSF uses an external authentication framework to secure user credentials for the data stream between LSF clients and servers. By default, LSF provides an eauth executable file which takes a static authorization key to encrypt the data. As part of the installation process, changing the default key is important to prevent unauthorized access. However, many sites do not change this default key and are therefore vulnerable to CVE-2017-1205.

This defect was present and undetected for over ten years, even during previous third party security reviews. There are no reported instances of anyone having exploited this defect to gain root privileges.

This fix addresses CVE-2017-1205 by enhancing the default eauth executable file to automatically generate site-specific keys, and is available for all supported versions of LSF on all supported operating systems.

Sites that use LSF Kerberos authentication are not affected by this issue, but installing this fix addresses potential vulnerabilities if LSF Kerberos authentication is unavailable.

This fix consists of three parts:

1. MANDATORY: Update mbatchd, sbatchd, res, lsadmin, and badmin binary files. These updates address the potential root exploit. You can replace these binary files on a live cluster with no downtime.

2. RECOMMENDED: Replace the default eauth executable file with eauth.cve. This update addresses the potential replay attack. You must replace the eauth executable file on all hosts simultaneously, which requires LSF to be shutdown.

3. OPTIONAL: Generate custom eauth keys. Generate custom eauth keys at the same time as you replace the eauth executable file.

1. Update key binaries

Update mbatchd, sbatchd, res, lsadmin, and badmin.

2. Default eauth executable

The new default eauth executable file is enhanced to automatically generate a site-specific key by using 128-bit AES encryption.

The new eauth executable file is named as eauth.cve in the fix. It can be directly replaced the default eauth executable file for the authentication between LSF clients and servers in the same LSF cluster.

You must replace all binary files to fully address CVE-2017-1205. To ensure that you correctly enable the enhancements in your LSFclusters, check the following:

1) The new eauth executable file rejects LSF requests from the host with the UTC time offset of more than 5 minutes compared with the server host.

2) When you use the new eauth executable file in the LSF clusters with the following LSF features, you must configure the same LSF_EAUTH_KEY in the lsf.sudoers file on all related LSF clusters

· Run an interactive task on remote host across LSF Multi-Cluster by using the LSF command “ls(g)run –m”

· LSF data managers in LSF Multi-Cluster

3) You must follow the configuration steps of using the new executable file to the following LSF add-on products to work with LSF

· IBM Platform LSF RTM

4) You must install the new eauth executable file to all LSF hosts in the LSF cluster to work together. Otherwise, LSF commands that run on the hosts without the new eauth executable file will encounter authentication problems.

5) The enhancements do not support LSF distributions earlier than Version 8.3. If there are any LSF hosts that are running these earlier versions of LSF, the entire whole LSF cluster cannot apply the new eauth executable file as the default eauth method. If you are using earlier version of LSF, use LSF Kerberos authentication or your own authentication method.

3. Generating site-specific custom eauth keys

LSF supports configuring customized authorization keys to encrypt the user credentials. The lsf.sudoers file is located in the directory specified by the parameter LSF_SECUREDIR in lsf.conf.

This key can be generated by using public key generator tools such as GnuPG or ssh-keygen. The following is an example of generating authorization keys using GnuPG and the configuration steps in LSF:

1) Download the GnuPG package (https://www.gnupg.org/download/index.html) and install the package on the LSF master host.

2) Create GPG keys by running the following command (using Bourne shell syntax as the example):

# gpg --gen-key

3) Comment out the original LSF_EAUTH_KEY configuration line in the /etc/lsf.sudoers file:

4) Export the ASCII-armored format output of the GPG key and append the following line in the /etc/lsf.sudoers file:

LSF_EAUTH_KEY=<ASCII-armored format of GPG key>

For UNIX, you must edit the lsf.sudoers file on all hosts within the cluster and specify the same encryption key. For Windows, you must edit the shared lsf.sudoers file.

5) Copy the /etc/lsf.sudoers file to the /etc directory of each LSF host.

6) Reconfigure the cluster to apply this change.

# badmin reconfig

Readme file for: IBM® Platform LSF

Product/Component Release: 9.1.3

Update Name: Fix 445809

Fix ID: LSF-9.1.3-build445809

Publication date: 31 March 2017

Last modified date: 30 March 2017

Contents:

1. List of fixes

2. Download location

3. Products or components affected

4. System requirements

5. Installation and configuration

6. List of files

7. Product notifications

8. Copyright and trademark information

1. List of fixes

P102108

2. Download Location

Download Fix 445809 from the following location: http://www.ibm.com/eserver/support/fixes/

3. Products or components affected

Affected components include: LSF/eauth, LSF/mbatchd, LSF/sbatchd, LSF/res, LSF/badmin, LSF/lsadmin

4. System requirements

aix-64

hppa11i-64

hpuxia64

linux2.6-glibc2.3-x86_64

linux2.6-glibc2.3-ppc64

linux2.6-glibc2.3-x86_64-cray

linux3.12-glibc2.17-armv8

linux3.6-glibc2.15-armv7

linux3.10-glibc2.17-ppc64le

macosx

sparc-sol10-64

x86-64-sol10

5. Installation and configuration

5.1 Before installation

(LSF_TOP=Full path to the top-level installation directory of LSF.)

1) Log on to the LSF master host as root

2) Set your environment:

- For csh or tcsh: % source LSF_TOP/conf/cshrc.lsf

- For sh, ksh, or bash: $ . LSF_TOP/conf/profile.lsf

5.2 Installation steps

Follow the complete installation procedure on every host to use LSF with non-shared file

systems.

1) Go to the patch install directory: cd $LSF_ENVDIR/../9.1/install/

2) Copy the patch file to the install directory $LSF_ENVDIR/../9.1/install/

3) Run patchinstall: ./patchinstall <patch>

5.3 After installation

To only apply the mandatory part of the patch:

1) Log on to the LSF master host as root

2) Run lsadmin resrestart all

3) Run badmin hrestart all

4) Run badmin mbdrestart

To apply the whole patch:

1) Run badmin hshutdown all

2) Run lsadmin resshutdown all

3) Run badmin mbdrestart

4) Backup the eauth on all installed hosts as eauth.bak

5) Copy the eauth.cve to replace the eauth on all LSF hosts

6) Run chmod u+s $LSF_SERVERDIR/eauth to configure eauth as setuid to root

7) Run lsadmin resstartup all

8) Run badmin hstartup all

5.4 Configuration for IBM Platform RTM and IBM Spectrum LSF RTM

1) Prerequisite: All LSF clusters monitored by RTM must already have the eauth patch applied and mbd has been restarted.

2) Use the corresponding eauth.cve version for LSF

Note: For all x86_64 platforms get the corresponding eauth.cve from "linux2.6-glibc2.3-x86_64"

3) Replace the old version of eauth.cve in RTM_TOP/rtm/lsf91/etc/eauth with the new eauth.cve. By default, RTM_TOP=/opt/IBM.

Note:

a) For mixed cluster situations, RTM monitors and controls the upgraded clusters, but only monitors the non-upgraded clusters. For example, in the case where three LSF 9.1.x clusters and two clusters of LSF 9.1.1 and LSF 9.1.2 are upgraded (with the new eauth.cve), but one LSF 9.1.3 cluster is not upgraded (without the new eauth.cve), RTM will monitor and control the LSF 9.1.1 and 9.1.2 clusters but only monitor the LSF 9.1.3 cluster.

b) There is no requirement to restart RTM

5.5 Uninstallation

To only roll back the mandatory part of the patch:

1) Log on to the LSF master host as root

2) Go to the patch install directory: cd $LSF_ENVDIR/../9.1/install/, run ./patchinstall –r <patch>.

3) Run lsadmin resrestart all

4) Run badmin hrestart all

5) Run badmin mbdrestart.

To roll back the whole patch:

1) Run badmin hshutdown all

2) Run lsadmin resshutdown all

3) Run badmin mbdrestart

4) Go to the patch install directory: cd $LSF_ENVDIR/../9.1/install/, run ./patchinstall -r <patch>

5) Replace eauth with the backup eauth.bak on all LSF hosts

6) Run chmod u+s $LSF_SERVERDIR/eauth to configure eauth as setuid to root

7) Run lsadmin resstartup all

8) Run badmin hstartup all

6. List of files

eauth.cve

mbatchd

sbatchd

res

badmin

lsadmin

7. Product notifications

To receive information about product solution and patch updates automatically, subscribe to product notifications on the My notifications page (www.ibm.com/support/mynotifications) on the IBM Support website (support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.

8. Copyright and trademark information

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.