Date: Mon, 09 Sep 2013 12:14:51 +0200 From: Agostino Sarubbo <ago@...too.org> To: oss-security@...ts.openwall.com Subject: CVE request: Torque privilege escalation >From the torque advisory http://www.supercluster.org/pipermail/torqueusers/2013-September/016098.html : *Vulnerability:* A non-privileged user who can run jobs or login to a node running pbs_server or pbs_mom can submit an arbitrary job to the cluster; that job can run as root. The user can submit a command directly to a pbs_mom daemon to queue and run a job. A malicious user could use this vulnerability to remotely execute code as root on the cluster. *Versions Affected:* All versions of TORQUE *Mitigating Factors:* - The user must be logged in on a node that is already legitimately able to contact pbs_mom daemons or submit jobs. - If a user submits a job via this defect and pbs_server is running, pbs_server will kill the job unless job syncing is disabled. It may take up to 45 seconds for pbs_server to kill the job. - There are no known instances of this vulnerability being exploited. -- Agostino Sarubbo Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ