User login
Qlustar: Install and enjoy!

[QSA-0128211] Sudo vulnerabilities

Qlustar Security Advisory 0128211

January 28th, 2021


Summary:

This update includes a fix for the dangerous sudo vulnerabilty (Baron Samedit) that allows root access for any local user. You should update your cluster as soon as possible. If sudo is not used on your cluster nodes, you can also make the sudo binary non-executable on all cluster (net-boot) nodes (via

chmod a-x /usr/bin/sudo 
) and just update the sudo package on the head-node(s) to have immediate protection without the need for updating and possibly rebooting cluster nodes.


    Package(s)       : sudo,
                       qlustar-module-core-xenial-amd64-10.1.1,
                       qlustar-module-core-bionic-amd64-11.0.1,
                       qlustar-module-core-centos7-amd64-11.0.1,
                       qlustar-module-core-centos8-amd64-11.0.1,
                       qlustar-module-core-focal-amd64-12.0.0,
                       qlustar-module-core-centos7-amd64-12.0.0,
                       qlustar-module-core-centos8-amd64-12.0.0
    Qlustar releases : 10.1, 11.0, 12.0
    Affected versions: All versions prior to this update
    Vulnerability    : privilege escalation
    Problem type     : Local
    Qlustar-specific : no
    CVE Id(s)        : CVE-2021-3156, CVE-2021-23239
  

Relevant to Qlustar 12.0 and 11.0 and 10.1

Sudo vulnerabilities

It was discovered that Sudo incorrectly handled memory when parsing command lines. A local attacker could possibly use this issue to obtain unintended access to the administrator account.

It was discovered that the Sudo sudoedit utility incorrectly handled checking directory permissions. A local attacker could possibly use this issue to bypass file permissions and determine if a directory exists or not.

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions (follow the Qlustar Update Instructions):

For Qlustar 12.0

    sudo                                       1.8.31-1ubuntu1.2
    qlustar-module-core-focal-amd64-12.0.0     12.0.0.1.1-b529f1342
    qlustar-module-core-centos7-amd64-12.0.0   12.0.0.1.1-b529f1342
    qlustar-module-core-centos8-amd64-12.0.0   12.0.0.1.1-b529f1342
  

For Qlustar 11.0

    sudo                                       1.8.21p2-3ubuntu1.4
    qlustar-module-core-bionic-amd64-11.0.1    11.0.1.5.1-b527f1343
    qlustar-module-core-centos7-amd64-11.0.1   11.0.1.5.1-b527f1343
    qlustar-module-core-centos8-amd64-11.0.1   11.0.1.5.1-b527f1343
  

For Qlustar 10.1

    sudo                                       1.8.16-0ubuntu1.10
    qlustar-module-core-xenial-amd64-10.1.1    10.1.1.17.1-b521f1345
  
glqxz9283 sfy39587stf02 mnesdcuix8
sfy39587stf03
sfy39587p08