Bug 1005918 - (CVE-2013-4319) CVE-2013-4319 torque: remote arbitrary command execution as root on cluster
CVE-2013-4319 torque: remote arbitrary command execution as root on cluster
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20130906,repo...
: Security
Depends On: 1005919 1005920
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-09 12:44 EDT by Vincent Danen
Modified: 2015-07-31 03:10 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-09-09 12:44:35 EDT
Upstream released a TORQUE security advisory [1] that indicated that a non-privileged user who was able to run jobs or login to a node which ran pbs_server or pbs_mom, could submit arbitrary jobs to a pbs_mom daemon to queue and run the job, which would run as root.  All versions of TORQUE are affected.

The advisory also notes the following mitigating factors:

- The user must be logged in on a node that is already legitimately able to
contact pbs_mom daemons or submit jobs.

- If a user submits a job via this defect and pbs_server is running,
pbs_server will kill the job unless job syncing is disabled. It may take up
to 45 seconds for pbs_server to kill the job.

A patch for 2.5 is available [2], as well as 4.x [3].  Fedora ships with TORQUE 3.x, so will need to backport (or forwardport) one of these patches.


[1] http://www.supercluster.org/pipermail/torqueusers/2013-September/016098.html
[2] http://www.adaptivecomputing.com/torquepatch/fix_mom_priv_2.5.patch
[3] http://www.adaptivecomputing.com/torquepatch/fix_mom_priv.patch


A CVE request has been made:

http://www.openwall.com/lists/oss-security/2013/09/09/4
Comment 1 Vincent Danen 2013-09-09 12:45:47 EDT
Created torque tracking bugs for this issue:

Affects: fedora-all [bug 1005919]
Affects: epel-all [bug 1005920]
Comment 2 Vincent Danen 2013-09-10 01:12:48 EDT
CVE-2013-4319 was assigned:

http://www.openwall.com/lists/oss-security/2013/09/09/11
Comment 3 Leif Nixon 2013-12-13 05:15:29 EST
The Torque package in EPEL is no longer maintained, as far as I am aware. I recommend that it be withdrawn.
Comment 4 Fedora Update System 2014-10-18 12:59:39 EDT
torque-3.0.4-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-10-18 13:00:08 EDT
torque-3.0.4-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.