Readme for 443727

IBM Spectrum LSF 10.1 Fix 443727 Readme File

Abstract

P102110. The fix enhances LSF security of authorizing user credentials for the data stream between LSF clients and servers. It addresses CVE-2017-1205.

Description

LSF uses an external authentication framework to secure user credentials for the data stream between LSF clients and servers. By default, LSF provides an eauth.exe executable file, which takes a static authorization key to encrypt the data. As part of the installation process, changing the default key is important to prevent unauthorized access. However, many sites do not change this default key and are therefore vulnerable to CVE-2017-1205.

This defect was present and undetected for over ten years, even during previous third party security reviews. There are no reported instances of anyone having exploited this defect to attack LSF security.

This fix addresses CVE-2017-1205 by enhancing the default eauth.exe executable file to automatically generate site-specific keys, and is available for all supported versions of LSF on all supported operating systems.

Sites that use LSF Kerberos authentication are not affected by this issue, but installing this fix addresses potential vulnerabilities if LSF Kerberos authentication is unavailable.

This fix consists of two parts:

1. RECOMMENDED: Replace the default eauth.exe executable file with eauth.cve.exe. Update mbatchd.exe, sbatchd.exe, res.exe, lsadmin.exe, and badmin.exe binary files. This update addresses the potential replay attack. You must replace the eauth.exe executable file on all hosts simultaneously, which requires LSF to be shut down.

2. OPTIONAL: Generate custom eauth keys. Generate custom eauth keys at the same time as you replace the eauth.exe executable file.

1. Update key binaries

Update mbatchd.exe, sbatchd.exe, res.exe, lsadmin.exe, and badmin.exe.

2. Default eauth.exe executable

The new default eauth.exe executable file is enhanced to automatically generate a site-specific key by using 128-bit AES encryption.

The new eauth.exe executable file is named as eauth.cve.exe in the fix. It can be directly replaced the default eauth.exe executable file for the authentication between LSF clients and servers in the same LSF cluster.

You must replace all binary files to fully address CVE-2017-1205. To ensure that you correctly enable the enhancements in your LSF clusters, check the following:

1) The new eauth.exe executable file rejects LSF requests from the host with the UTC time offset of more than 5 minutes compared with the server host.

2) When you use the new eauth.exe executable file in the LSF clusters with the following LSF features, you must configure the same LSF_EAUTH_KEY in the lsf.sudoers file on all related LSF clusters

· Run an interactive task on remote host across LSF Multi-Cluster by using the LSF command “ls(g)run.exe –m”

· LSF data managers in LSF Multi-Cluster

3) You must follow the configuration steps of using the new executable file to the following LSF add-on products to work with LSF

· IBM Spectrum LSF RTM

4) You must install the new eauth.exe executable file to all LSF hosts in the LSF cluster to work together. Otherwise, LSF commands that run on the hosts without the new eauth.exe executable file will encounter authentication problems.

5) The enhancements do not support LSF distributions earlier than Version 8.3. If there are any LSF hosts that are running these earlier versions of LSF, the entire whole LSF cluster cannot apply the new eauth.exe executable file as the default eauth method. If you are using earlier version of LSF, use LSF Kerberos authentication or your own authentication method.

3. Generating site-specific custom eauth keys

LSF supports configuring customized authorization keys in lsf.sudoers file to encrypt the user credentials. The lsf.sudoers file is located in the directory specified by the parameter LSF_SECUREDIR in lsf.conf. This key can be generated by using public key generator tools such as GnuPG or ssh-keygen. The following is an example of generating authorization keys using GnuPG and the configuration steps in LSF:

1) Download the GnuPG package (https://www.gnupg.org/download/index.html) and install the package on the LSF master host.

2) Create GPG keys using GnuPG.

3) Remove the original LSF_EAUTH_KEY configuration line in the lsf.sudoers file.

4) Export the ASCII-armored format output of the GPG key and append the following line in the lsf.sudoers file:

LSF_EAUTH_KEY=<ASCII-armored format of GPG key>

For UNIX, you must edit the lsf.sudoers file on all hosts within the cluster and specify the same encryption key. For Windows, you must edit the shared lsf.sudoers file.

5) Reconfigure the cluster to apply this change.

# badmin reconfig

Readme file for: IBM® Spectrum LSF

Product/Component Release: 10.1

Update Name: Fix 443727

Fix ID: LSF-10.1-build443727

Publication date: 31 March 2017

Last modified date: 30 March 2017

Contents:

1. List of fixes

2. Download location

3. Products or components affected

4. System requirements

5. Installation and configuration

6. List of files

7. Product notifications

8. Copyright and trademark information

1. List of fixes

P102110

2. Download Location

Download Fix 443727 from the following location: http://www.ibm.com/eserver/support/fixes/

3. Products or components affected

Affected components include: LSF/eauth.exe, LSF/mbatchd.exe, LSF/sbatchd.exe, LSF/res.exe, LSF/badmin.exe, LSF/lsadmin.exe

4. System requirements

win-x64

5. Installation and configuration

5.1 Before installation

None

5.2 Installation steps

1) Log on to the LSF master host as LSF cluster administrator

2) Run badmin hshutdown all

3) Run lsadmin resshutdown all

4) Run lsadmin limshutdown

5) Log on to the Windows host as administrator, install the Windows patch

5.3 After installation

1) Log on to the Windows host as administrator

2) Backup the eauth.exe on the Windows host as eauth.bak.exe

3) Copy the eauth.cve.exe to replace the eauth.exe on the Windows host

4) Log on to the LSF master host as LSF cluster administrator

5) Run lsadmin limstartup

6) Run lsadmin resstartup all

7) Run badmin hstartup all

5.4 Uninstallation

1) Log on to the LSF master host as LSF cluster administrator.

2) Run badmin hshutdown all

3) Run lsadmin resshutdown all

4) Run lsadmin limshutdown

5) Log on to the Windows host as administrator, remove the patch installation from the Windows control panel on the Windows host

6) Replace eauth.exe with the backup eauth.bak.exe on the Windows host

7) Log on to the LSF master host as LSF cluster administrator.

8) Run lsadmin limstartup

9) Run lsadmin resstartup all

10) Run badmin hstartup all

6. List of files

eauth.cve.exe

mbatchd.exe

sbatchd.exe

res.exe

badmin.exe

lsadmin.exe

7. Product notifications

To receive information about product solution and patch updates automatically, subscribe to product notifications on the My notifications page (www.ibm.com/support/mynotifications) on the IBM Support website (support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.

8. Copyright and trademark information

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.