IBM Platform LSF 9.1.3 Fix 445809 Readme File
Abstract
P102108. The fix enhances LSF security of authorizing user credentials for the data stream between LSF clients and servers. It addresses CVE-2017-1205.
Description
LSF uses an external authentication framework to secure user credentials for
the data stream between LSF clients and servers. By default, LSF provides an
eauth executable file which takes a static authorization key to encrypt the
data. As part of the installation process, changing the default key is
important to prevent unauthorized access. However, many sites do not change
this default key and are therefore vulnerable to CVE-2017-1205.
This defect was present and undetected for over ten years, even during previous
third party security reviews. There are no reported instances of anyone having
exploited this defect to gain root privileges.
This fix addresses CVE-2017-1205 by enhancing the default eauth executable file
to automatically generate site-specific keys, and is available for all
supported versions of LSF on all supported operating systems.
Sites that use LSF Kerberos authentication are not affected by this issue, but
installing this fix addresses potential vulnerabilities if LSF Kerberos
authentication is unavailable.
This fix consists of three parts:
1. MANDATORY: Update mbatchd, sbatchd, res, lsadmin, and badmin binary files. These updates address the potential root exploit. You can replace these binary files on a live cluster with no downtime.
2. RECOMMENDED: Replace the default eauth executable file with eauth.cve. This update addresses the potential replay attack. You must replace the eauth executable file on all hosts simultaneously, which requires LSF to be shutdown.
3. OPTIONAL: Generate custom eauth keys. Generate custom eauth keys at the same time as you replace the eauth executable file.
1. Update key binaries
Update mbatchd, sbatchd, res, lsadmin, and badmin.
2. Default eauth executable
The new default eauth executable file is enhanced to automatically generate a site-specific key by using 128-bit AES encryption.
The new eauth executable file is named as eauth.cve in the fix. It can be directly replaced the default eauth executable file for the authentication between LSF clients and servers in the same LSF cluster.
You must replace all binary files to fully address CVE-2017-1205. To ensure that you correctly enable the enhancements in your LSFclusters, check the following:
1) The new eauth executable file rejects LSF requests from the host with the UTC time offset of more than 5 minutes compared with the server host.
2) When you use the new eauth executable file in the LSF clusters with the following LSF features, you must configure the same LSF_EAUTH_KEY in the lsf.sudoers file on all related LSF clusters
· Run an interactive task on remote host across LSF Multi-Cluster by using the LSF command “ls(g)run –m”
· LSF data managers in LSF Multi-Cluster
3) You must follow the configuration steps of using the new executable file to the following LSF add-on products to work with LSF
· IBM Platform LSF RTM
4) You must install the new eauth executable file to all LSF hosts in the LSF cluster to work together. Otherwise, LSF commands that run on the hosts without the new eauth executable file will encounter authentication problems.
5) The enhancements do not support LSF distributions earlier than Version 8.3. If there are any LSF hosts that are running these earlier versions of LSF, the entire whole LSF cluster cannot apply the new eauth executable file as the default eauth method. If you are using earlier version of LSF, use LSF Kerberos authentication or your own authentication method.
3. Generating site-specific custom eauth keys
LSF supports configuring customized authorization keys to encrypt the user credentials. The lsf.sudoers file is located in the directory specified by the parameter LSF_SECUREDIR in lsf.conf.
This key can be generated by using public key generator tools such as GnuPG or ssh-keygen. The following is an example of generating authorization keys using GnuPG and the configuration steps in LSF:
1) Download the GnuPG package (https://www.gnupg.org/download/index.html) and install the package on the LSF master host.
2) Create GPG keys by running the following command (using Bourne shell syntax as the example):
# gpg --gen-key
3) Comment out the original LSF_EAUTH_KEY configuration line in the /etc/lsf.sudoers file:
4) Export the ASCII-armored format output of the GPG key and append the following line in the /etc/lsf.sudoers file:
LSF_EAUTH_KEY=<ASCII-armored format of GPG key>
For UNIX, you must edit the lsf.sudoers file on all hosts within the cluster and specify the same encryption key. For Windows, you must edit the shared lsf.sudoers file.
5) Copy the /etc/lsf.sudoers file to the /etc directory of each LSF host.
6) Reconfigure the cluster to apply this change.
# badmin reconfig
Readme file for: IBM® Platform LSF
Product/Component Release: 9.1.3
Update Name: Fix 445809
Fix ID: LSF-9.1.3-build445809
Publication date: 31 March 2017
Last modified date: 30 March 2017
Contents:
1. List of fixes
2. Download location
3. Products or components affected
4. System requirements
5. Installation and configuration
6. List of files
7. Product notifications
8. Copyright and trademark information
1. List of fixes
P102108
2. Download Location
Download Fix 445809 from the following location: http://www.ibm.com/eserver/support/fixes/
3. Products or components affected
Affected components include: LSF/eauth, LSF/mbatchd, LSF/sbatchd, LSF/res, LSF/badmin, LSF/lsadmin
4. System requirements
aix-64
hppa11i-64
hpuxia64
linux2.6-glibc2.3-x86_64
linux2.6-glibc2.3-ppc64
linux2.6-glibc2.3-x86_64-cray
linux3.12-glibc2.17-armv8
linux3.6-glibc2.15-armv7
linux3.10-glibc2.17-ppc64le
macosx
sparc-sol10-64
x86-64-sol10 |
5. Installation and configuration
5.1 Before installation
(LSF_TOP=Full path to the top-level installation directory of LSF.)
1) Log on to the LSF master host as root
2) Set your environment:
- For csh or tcsh: % source LSF_TOP/conf/cshrc.lsf
- For sh, ksh, or bash: $ . LSF_TOP/conf/profile.lsf
5.2 Installation steps
Follow the complete installation procedure on every host to use LSF with non-shared file
systems.
1) Go to the patch install directory: cd $LSF_ENVDIR/../9.1/install/
2) Copy the patch file to the install directory $LSF_ENVDIR/../9.1/install/
3) Run patchinstall: ./patchinstall <patch>
5.3 After installation
To only apply the mandatory part of the patch:
1) Log on to the LSF master host as root
2) Run lsadmin resrestart all
3) Run badmin hrestart all
4) Run badmin mbdrestart
To apply the whole patch:
1) Run badmin hshutdown all
2) Run lsadmin resshutdown all
3) Run badmin mbdrestart
4) Backup the eauth on all installed hosts as eauth.bak
5) Copy the eauth.cve to replace the eauth on all LSF hosts
6) Run chmod u+s $LSF_SERVERDIR/eauth to configure eauth as setuid to root
7) Run lsadmin resstartup all
8) Run badmin hstartup all
5.4 Configuration for IBM Platform RTM and IBM Spectrum LSF RTM
1) Prerequisite: All LSF clusters monitored by RTM must already have the eauth patch applied and mbd has been restarted.
2) Use the corresponding eauth.cve version for LSF
Note: For all x86_64 platforms get the corresponding eauth.cve from "linux2.6-glibc2.3-x86_64"
3) Replace the old version of eauth.cve in RTM_TOP/rtm/lsf91/etc/eauth with the new eauth.cve. By default, RTM_TOP=/opt/IBM.
Note:
a) For mixed cluster situations, RTM monitors and controls the upgraded clusters, but only monitors the non-upgraded clusters. For example, in the case where three LSF 9.1.x clusters and two clusters of LSF 9.1.1 and LSF 9.1.2 are upgraded (with the new eauth.cve), but one LSF 9.1.3 cluster is not upgraded (without the new eauth.cve), RTM will monitor and control the LSF 9.1.1 and 9.1.2 clusters but only monitor the LSF 9.1.3 cluster.
b) There is no requirement to restart RTM
5.5 Uninstallation
To only roll back the mandatory part of the patch:
1) Log on to the LSF master host as root
2) Go to the patch install directory: cd $LSF_ENVDIR/../9.1/install/, run ./patchinstall –r <patch>.
3) Run lsadmin resrestart all
4) Run badmin hrestart all
5) Run badmin mbdrestart.
To roll back the whole patch:
1) Run badmin hshutdown all
2) Run lsadmin resshutdown all
3) Run badmin mbdrestart
4) Go to the patch install directory: cd $LSF_ENVDIR/../9.1/install/, run ./patchinstall -r <patch>
5) Replace eauth with the backup eauth.bak on all LSF hosts
6) Run chmod u+s $LSF_SERVERDIR/eauth to configure eauth as setuid to root
7) Run lsadmin resstartup all
8) Run badmin hstartup all
6. List of files
eauth.cve
mbatchd
sbatchd
res
badmin
lsadmin
7. Product notifications
To receive information about product solution and patch updates automatically, subscribe to product notifications on the My notifications page (www.ibm.com/support/mynotifications) on the IBM Support website (support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.
8. Copyright and trademark information
© Copyright IBM Corporation 2017
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.