[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PBS Professional MoM Authentication Bypass (CVE-2019-15719)
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: PBS Professional MoM Authentication Bypass (CVE-2019-15719)
- From: john@xxxxxxxxxx
- Date: Wed, 9 Oct 2019 04:29:09 GMT
===========================================================
PBS Professional MoM Authentication Bypass (CVE-2019-15719)
===========================================================
* Software: PBS Professional
* Affected Versions: All versions up to and including 19.2.3
* Vendor: Altair Engineering, Inc
* CVE Reference: CVE-2019-15719
* Severity: CVSS 9.0 [CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H]
* Author: John Fitzpatrick
* Date: 2019-10-08
Description
===========
HPCsec have identified a vulnerability in PBS Pro which allows for arbitrary
code execution on any node running the pbs_mom service. This vulnerability can
be exploited by anyone in a position to communicate with the pbs_mom service
from an authorized node within the cluster. Exploitation of this issue allows
for arbitrary code execution as any other user including as root, even in
installations where root is not permitted to submit jobs.
This issue arises as a result of the pbs_mom service failing to apply a
necessary security check before handling instructions sent to it.
By default the pbs_mom service runs on TCP port 15002. The following code can
be run to check whether a mom is vulnerable to this issue:
---BEGIN CODE::python---
import socket
import sys
if len(sys.argv) < 2:
print "ERROR: Please specify the address of pbs_mom"
sys.exit(1)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((sys.argv[1], 15002))
s.send("+2+1+1+1x+1x+1x2+222+15+1x+0+1x+02+24+1x+01+1x+02+12+1x+0+1x+02+14+1x+0+1x+02+"+
"131+1x+0+1x+02+411+1x+01+1x+02+241+1x+01+1x+02+261+1x+01+1x+02+12+1x+0+1x+02+1"+
"31+1x+0+1x+02+421+1x+01+1x+02+221+1x+1+1x+112+102+251+1x+1+1x+1x2+102+221+1x+0"+
"+1x2+103+3351+1x+01+1x+02+13+1x+0+1x+02+14+1x+0+1x2+102+19+1x+0+1x+02+12+1x+0+"+
"11+02+181+1x+0+210+02+29+6hpcsec+01+1x+02+141+1x+0+11+0+0")
response = s.recv(64)
if "Invalid" in response:
print "Vulnerable = NO"
elif "Access" in response:
print "Vulnerable = UNKNOWN (try again from a permitted host, e.g.
another mom or the pbs server)"
elif "Undefined" or "System" in response:
print "Vulnerable = YES"
else:
print "Vulnerable = UNKNOWN (unhandled response)"
except Exception, e:
print "ERROR: "+str(e)
# Download here: https://files.hpcsec.com/utilities/check-CVE-2019-15719.py
---END CODE---
Solution
========
A fix for this issue has been incorporated into all currently supported
versions of PBS Professional. Fixes are available in the following versions:
* 13.0.412
* 14.2.7
* 18.2.5
* 19.2.4 and newer
A fix is now available on GitHub for users of the open source 19.1.X branch.
The fix is incorporated into the current 19.1.2 release with no change to the
version number. Therefore earlier instances of 19.1.2 are vulnerable.
Those running earlier versions should update to the latest fixed version in the
relevant branch.
The updated versions are available from the Altair PBS Professional download
site (https://www.pbspro.org/Download.aspx#download).
Timeline
========
2019-08-22: Issue reported to Altair
2019-10-07: Patch available for all supported versions of PBS Pro
2019-10-08: HPCsec advisory published
================================================
https://www.hpcsec.com/2019/10/08/cve-2019-15719
================================================