oss-sec mailing list archives
Re: CVE request: Torque privilege escalation
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 09 Sep 2013 10:35:20 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/09/2013 04:14 AM, Agostino Sarubbo wrote:
From the torque advisory http://www.supercluster.org/pipermail/torqueusers/2013-September/016098.html : *Vulnerability:* A non-privileged user who can run jobs or login to a node running pbs_server or pbs_mom can submit an arbitrary job to the cluster; that job can run as root. The user can submit a command directly to a pbs_mom daemon to queue and run a job. A malicious user could use this vulnerability to remotely execute code as root on the cluster. *Versions Affected:* All versions of TORQUE *Mitigating Factors:* - The user must be logged in on a node that is already legitimately able to contact pbs_mom daemons or submit jobs. - If a user submits a job via this defect and pbs_server is running, pbs_server will kill the job unless job syncing is disabled. It may take up to 45 seconds for pbs_server to kill the job. - There are no known instances of this vulnerability being exploited.
Please include links to the vulns/source code fixes/original information thanks. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSLfjFAAoJEBYNRVNeJnmTmsEP/2VnQVuLVoVLzFuJRRQovcjf Iu50e5Bk2WEWLsibhdjuYbp14gZ4smNHHk1wjRxMKV12kbBzQ4ivndR13TukcCns CEkYSKbHgJqBvpBVIXjXqBtSovc26UaZd6Zz0jrrgBsKhX1r+opqmRMispZ5f7sn sK9fTwHnySIwuBHO8cm0RLDcoOY04UVk75gq8iemPcNnAWB4a1zRKPNk+ir5G6vg PrbWpfTFEiqe5LWpJADAUQj8dAHMpbJGZuis5krUGCe7ZLM+uCCPKBkU0sVsiHu6 wM3bPnFt8ifBvRxG9gM7sRZ6/rHeK3DHvE53j10JjGA+HCgy6jSceWJzl4d0LXPj AQpsjW/Q7zcFY8Amx5wyL0DYwtWDwz/ZnQKRQINwoy7PzMb0lUOtxaOmcSiT5unE NHsW4Pi3u9KVV75PztWDc2367/B+gpRrVugR/fFJUylz32wofIzv/Jo6otXAyGe2 gZcrx+9ekO1dCX+jMNaqvQL2WzjgILh4ZfbBVTYeNmb4JyrVCGsdVrw9b3l+QKqs yG/V44cZaNh18lMXwVm8Iv8fwfxIqzETVaUDnrAqdDxU3ol67mZ/GpSc3JXBtYtF fIVrreD7pEYFEy5jLskdwb1+H/FbU7u88Z2h4cGwSwphPNWK2FJA3xx1bIkIX1bF vOpu/OmXp43+Mn8JXUIP =UMc5 -----END PGP SIGNATURE-----
Current thread:
- CVE request: Torque privilege escalation Agostino Sarubbo (Sep 09)
- Re: CVE request: Torque privilege escalation Kurt Seifried (Sep 09)
- Re: CVE request: Torque privilege escalation Agostino Sarubbo (Sep 09)
- Re: CVE request: Torque privilege escalation Kurt Seifried (Sep 09)
- Re: CVE request: Torque privilege escalation Agostino Sarubbo (Sep 09)
- Re: CVE request: Torque privilege escalation Kurt Seifried (Sep 09)