Hello Ole and fellow easybuilders,
On Monday OpenPMIX also released patched versions of PMIx v3.2.5, v4.0.1
and v4.1.3. (links below)
With the versions 5.0.1 and 4.2.6 there are now five releases that no
longer have the vulnerability.
https://github.com/openpmix/openpmix/releases/tag/v3.2.5
https://github.com/openpmix/openpmix/releases/tag/v4.0.1
https://github.com/openpmix/openpmix/releases/tag/v4.1.3
These security releases only contain one pull-request/commit each:
*Do not follow links when doing "chown"*
...that has this explanation:
> There is a potential issue with allowing a "chown" operation to follow
> user-created links, so let's limit any use of that function to "lchown" -
> which directs the "chown" operation to NOT follow a link.
>
With that I can somewhat imagine some scenarios where an attacker could use
that to "chown" systemfiles to then read and/or modify them in order to
steal information or escalate their privileges.
If the PMIx process runs as the user, this would fail, but a root user (UID
0) would be allowed to chown files however they like.
Slurm users: Check if your Slurm has been built with PMIx support by:
> $ srun --mpi=list
> in which case you must rebuild Slurm without PMIx!
Alternatively you could rebuild Slurm with any of the fixed PMIx releases
(v3.2.5 through v5.0.1)
or possibly delete the files ${SLURM_INSTALL_LOCATION}/lib/slurm/mpi_pmix*
until Slurm can be recompiled.
$ ls -1 ${SLURM_INSTALL_LOCATION}/lib/slurm/mpi_pmix*
${SLURM_INSTALL_LOCATION}/lib/slurm/mpi_pmix.so
${SLURM_INSTALL_LOCATION}/lib/slurm/mpi_pmix_v3.a
${SLURM_INSTALL_LOCATION}/lib/slurm/mpi_pmix_v3.la
${SLURM_INSTALL_LOCATION}/lib/slurm/mpi_pmix_v3.so
${SLURM_INSTALL_LOCATION}/lib/slurm/mpi_pmix_v4.a
${SLURM_INSTALL_LOCATION}/lib/slurm/mpi_pmix_v4.la
${SLURM_INSTALL_LOCATION}/lib/slurm/mpi_pmix_v4.so
Oliver Stueker, Dr. rer. nat. (he/him)
Research Consultant, ACENET
based at: Memorial University of Newfoundland
Email: supp...@tech.alliancecan.ca - supp...@ace-net.ca
Web: https://www.ace-net.ca - https://docs.alliancecan.ca
A regional partner of the Digital Research Alliance of Canada
On Thu, Sep 14, 2023 at 9:30 PM Ole Holm Nielsen
wrote:
> Hi Easybuilders,
>
> The Slurm folks have alerted us to an important security issue in PMIx
> before 4.2.6 and 5.0.1. See:
>
> https://nvd.nist.gov/vuln/detail/CVE-2023-41915 (CVSS score 8.1 High)
> https://github.com/openpmix/openpmix/releases/tag/v4.2.6
>
> The description is:
>
> > A security issue was reported by François Diakhate (CEA)
> > which is addressed in the PMIx v4.2.6 and v5.0.1 releases.
> > (Older PMIx versions may be vulnerable, but are no longer
> > supported.)
> >
> > A filesystem race condition could permit a malicious user
> > to obtain ownership of an arbitrary file on the filesystem
> > when parts of the PMIx library are called by a process
> > running as uid 0. This may happen under the default
> > configuration of certain workload managers, including Slurm.
>
> It therefore appears that all EB modules of PMIx are vulnerable, if run
> by the root user for some reason! The most recent EB module is
> PMIx-4.2.4-GCCcore-12.3.0.eb, and all PMIx modules in EB are no longer
> supported!
>
> Question 1: If PMIx is used only by normal users, can we be sure that
> the security issue can't be exploited?
>
> Question 2: Is the issue resolved by PR 18755 and 18759? If so, how do
> we apply this to all of our currently installed PMIx modules? Can
> anyone give the exact command used to rebuild any given PMIx module
> including the mentioned PRs?
>
> Slurm users: Check if your Slurm has been built with PMIx support by:
> $ srun --mpi=list
> in which case you must rebuild Slurm without PMIx!
>
> Thanks,
> Ole
>
> --
> Ole Holm Nielsen
> PhD, Senior HPC Officer
> Department of Physics, Technical University of Denmark
>
