Globus Security Advisory 2007-03: Nexus vulnerability
Original issue date: May 17, 2007
Last revised: None
Software affected: Globus Toolkit releases 4.1.1 and earlier
Specific packages:
globus_nexus-6.6 and earlier
Overview:
A vulnerability in the globus-job-manager was discovered. As far as we know, root privileges can not be obtained, but the system (typically the head node of a cluster) running the globus-job-manager can be caused to crash resulting in a denial of service (DoS). If many globus-job-managers are attacked at once on the same system, all available physical and swap memory can be consumed, causing the kernel OOM to start killing off everything including init, and eventually causing a kernel panic which halts the system.
I. Description
When a GRAM2 job is submitted, the job manager will open and listen on 3 ephemeral ports during the life of the job. Two of these ports are used by MPICH-G2 applications. It has been demonstrated that these ports are vulnerable to an attack which can cause excessive memory consumption and denial of service of the host system.
II. Impact
A remote attacker may cause a denial of service.
III. Solution
Nexus has been modified to use GSI with with self authorization on Nexus TCP sockets by default. This will secure access to the ports opened by the job manager to only the user that submitted the job. Details about this bug can be read here: http://bugzilla.globus.org/globus/show_bug.cgi?id=5297
While testing this solution, a deadlock bug was found and fixed in GSSAPI when built with threads. Additional details about this bug can be read here: http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=5279
In addition, we've provided a job manager configuration option to optionally disable the Nexus ports. Administrators can add -duct disable to the job manager configuration file to disable the vulnerable TCP ports.
Options:
There are 3 new GT packages available for download at http:// www.globus.org/toolkit/advisories.html
- globus_nexus-6.7.tar.gz
This package contains the modification to Nexus to use GSI with self authorization on TCP sockets by default.
http://bugzilla.globus.org/globus/show_bug.cgi?id=5297
- globus_gssapi-4.11.tar.gz
This package fixes a deadlock in GSI activation when built with threads.
http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=5279
- globus_gram_job_manager-6.11.tar.gz [Optional]
This package contains updates to disable the communication channel used for MPICH-G2 jobs (a.k.a. Nexus ports). If you don't take this package but you do take the other portion of the security update, these communication channels will be secure: this package is not strictly needed.
If you are unsure whether or not your users use MPICH-G2, you can safely ignore this package. If you are sure they do not, you can use this update to disable these ports for an extra ounce of preventative care.
These packages will need to be recompiled (order doesn't matter since there's no interface differences).
MPICH installations do not need to be recompiled; however, any statically linked MPICH-G applications will need to be recompiled before they can be submitted to GRAM2 services.
GRAM2 clients (e.g. globusrun) do not need to be recompiled.
SHA1 checksums:
2ce524fa91e46c6b1a0b171d07156cda3983b5ec globus_nexus-6.7.tar.gz
ab2c53ba3972ed130549755bd87e79feb8080091 globus_gssapi_gsi-4.11.tar.gz
f914a848bf47e9306866ab99e4ac99d82d2deddc
globus_gram_job_manager-6.11.tar.gz
MD5 checksums:
b4cc4aaf3f3d90099836b903714d3924 globus_nexus-6.7.tar.gz
b694de73bb3dba699e16fba096e560e6 globus_gssapi_gsi-4.11.tar.gz
bc11f0ddb973b047d63829139b28df45 globus_gram_job_manager-6.11.tar.gz