Date: Mon, 09 Sep 2013 12:14:51 +0200 From: Agostino Sarubbo <ago@...too.org> To: oss-security@...ts.openwall.com Subject: CVE request: Torque privilege escalation >From the torque advisory http://www.supercluster.org/pipermail/torqueusers/2013-September/016098.html : *Vulnerability:* A non-privileged user who can run jobs or login to a node running pbs_server or pbs_mom can submit an arbitrary job to the cluster; that job can run as root. The user can submit a command directly to a pbs_mom daemon to queue and run a job. A malicious user could use this vulnerability to remotely execute code as root on the cluster. *Versions Affected:* All versions of TORQUE *Mitigating Factors:* - The user must be logged in on a node that is already legitimately able to contact pbs_mom daemons or submit jobs. - If a user submits a job via this defect and pbs_server is running, pbs_server will kill the job unless job syncing is disabled. It may take up to 45 seconds for pbs_server to kill the job. - There are no known instances of this vulnerability being exploited. -- Agostino Sarubbo Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.