MWR Labs Warns Of Command Injection Vulnerability In IBM’s GPFS / Spectrum Scale

Allows adversary on any system which mounts GPFS to inject commands which are later executed as root

MWR Labs has warned of a high severity vulnerability affecting IBM’s General Parallel File System (GPFS), also now known as Spectrum Scale. Exploitation of this vulnerability allows any user of a system with a GPFS filesystem mounted to execute commands as root across the GPFS cluster.

Speaking about the discovery, John Fitzpatrick, [Managing Director] of MWR InfoSecurity explains, “GPFS is IBM’s parallel file system which is used extensively in the supercomputing and high performance computing world. It is also used by organisations that have a need for extremely fast and massively parallel storage, such as film and TV production companies, universities and research organisations, the oil and gas industry, financial industry, etc. The vulnerability is caused by a failure to safely handle arguments, supplied to a number of setuid binaries. It is significant in any environment using GPFS where non privileged users can access systems which is the case in almost every high performance computing environment, but certainly affects other users too. By exploiting the vulnerability, an attacker can gain root access to execute commands across all nodes in the GPFS cluster, and therefore gain full administrative access to affected systems. Having done so, the implications can be immense; systems with a need for parallel file systems are typically used to process or store extremely sensitive data ranging from academic research, to unreleased movie content, to matters of national and global security.”

IBM has provided patches to resolve this issue, and while at the time of writing MWR has not tested the effectiveness of these patches, it is recommended that they are applied.

About MWR InfoSecurity:

Established in 2003, MWR is an independent cyber security consultancy delivering research-led cyber security for clients around the globe.

It provides specialist advice and solutions in all areas of security, from professional and managed services, through to developing commercial and open source security tools. It focuses on working with clients to develop and deliver security programs, tailored to meet the needs of each individual organisation.

In a rapidly changing technology landscape, innovation is essential and its ambition to push boundaries sets it apart. Evidence of this approach is well documented on its dedicated research and development platform, MWR Labs.

Central to MWR’s philosophy is the desire to deliver high quality cyber security consulting services and unsurpassed levels of support to clients.