So you bought a HPE Cray EX supercomputer… What does this mean when it comes to security?
We take a look at the HPE Cray EX supercomputer platform from a security perspective.
John
Multiple IBM Spectrum LSF Authentication Vulnerabilities (Eauth) (CVE-2020-4983)
CVE: CVE-2020-4983
Severity: CVSS 9.6 (Critical)
Severity: CVSS 9.6 (Critical)
This advisory details two closely related vulnerabilities affecting versions of Spectrum LSF which can allow an adversary to gain root access to a cluster.
Spectrum Scale Exploit Analysis
Exploit code enabling a user to gain root access to a system running vulnerable versions of Spectrum Scale (GPFS) surfaced online. We've undertaken an analysis of this exploit code and written a safe script that you can use to check if your Spectrum Scale installation is vulnerable as well as some best practice advice for securing your installation.
Websphere, IIOP and Spectrum Scale GUI
HPCsec took a look at whether the recent critical vulnerabilities in IBM Websphere (CVE-2020-4448 + CVE-2020-4450) affect Spectrum Scale GUI users
Incorporating Security into your Next HPC Procurement v1.1
What security questions should you be asking during your next HPC/Supercomputer procurement?
BeeGFS Privilege Escalation (CVE-2019-15897)
A vulnerability exists in a default
installation of BeeGFS which allows users to perform operations which allow them to elevate their privileges and become root. This is due to a failure to properly authenticate a user when performing filesystem operations.
Sudo Vulnerability (CVE-2019-14287) Worked Example
CVE-2019-14287 is a vulnerability affecting versions of sudo < 1.8.28 which can allow users with sudo privileges to circumvent restrictions and become root.
This post is a worked example of exploiting this vulnerability.
This post is a worked example of exploiting this vulnerability.
PBS Professional MoM Authentication Bypass (CVE-2019-15719)
HPCsec have identified a vulnerability in PBS Pro which allows for arbitrary code execution on any node running the pbs_mom service. This vulnerability can be exploited by anyone in a position to communicate with the pbs_mom service from an authorized node within the cluster. Exploitation of this issue allows for arbitrary code execution as any other user including as root, even in installations where root is not permitted to submit jobs.
Responding to Customer Security Requirements During Procurement
The reality is that, despite it being a requirement of most HPC customers, HPC vendors are not doing a lot when it comes to security when there is a lot of opportunity to leverage this to differentiate.
Do Traditional Cyber Security Rules Apply to HPC Environments?
Good security is about dissecting something in order to understand how it works and then looking for ways to manipulate in order to facilitate unintended functionality. As long as that principle exists security can apply within any environment.
IBM Spectrum LSF Privilege Escalation
A vulnerability was identified within IBM Spectrum LSF which made it was possible to impersonate other users when submitting jobs for execution. Additionally, it was found to be possible to impersonate and execute jobs as root, even where root job submission is disabled.
DDN Insecure Update Process
An insecure update mechanism on DDN SFA devices allows for privilege escalation to root.
DDN Default SSH Keys
DDN SFA devices have default SSH keys in place which can be used to gain access.
IBM GPFS / Spectrum Scale Command Injection
A command injection vulnerability in GPFS / Spectrum Scale allows attackers to escalate privileges to root
SGI SUID Root Privilege Escalation
The VX binary on SGI ICE-X supercomputers can be used to escalate privileges to root.
SGI Tempo System Database Exposure
It is possible for users of ICE-X supercomputers to gain access to backups of system configuration databases.
Moab Authentication Bypass (CVE-2014-5300)
It is possible to bypass authentication within Moab in order to impersonate and run commands/operations as arbitrary users. The issue is believed to affect all versions of Moab prior to versions 7.2.9 and Moab 8.
Moab Authentication Bypass (insecure message signing) : (CVE-2014-5376)
Moab provides two methods to authenticate messages sent by users (e.g. job submissions). The default scheme which is widely used is insecure and can be circumvented in order to impersonate other users and perform operations on their behalf.
Torque 2.5.13 Buffer Overflow (CVE-2014-0749)
A buffer overflow exists in older versions of TORQUE which can be exploited in order to remotely execute code from an unauthenticated perspective. This issue is exploitable in all versions of the 2.5 branch, up to and including 2.5.13.
Cray Aprun/Apinit Privilege Escalation (CVE-2014-0748)
The apinit service does not safely validate messages supplied to it through the use of aprun. Users of Cray systems are able to exploit this weakness in order to execute commands on the compute nodes of a Cray supercomputer as arbitrary users, including root (UID 0).