Allows adversary on any system which mounts GPFS to inject commands which are later executed as root
MWR Labs has warned of a high severity vulnerability affecting IBM’s General Parallel File System (GPFS), also now known as Spectrum Scale. Exploitation of this vulnerability allows any user of a system with a GPFS filesystem mounted to execute commands as root across the GPFS cluster.
Speaking about the discovery, John Fitzpatrick, [Managing Director] of MWR InfoSecurity explains, “GPFS is IBM’s parallel file system which is used extensively in the supercomputing and high performance computing world. It is also used by organisations that have a need for extremely fast and massively parallel storage, such as film and TV production companies, universities and research organisations, the oil and gas industry, financial industry, etc. The vulnerability is caused by a failure to safely handle arguments, supplied to a number of setuid binaries. It is significant in any environment using GPFS where non privileged users can access systems which is the case in almost every high performance computing environment, but certainly affects other users too. By exploiting the vulnerability, an attacker can gain root access to execute commands across all nodes in the GPFS cluster, and therefore gain full administrative access to affected systems. Having done so, the implications can be immense; systems with a need for parallel file systems are typically used to process or store extremely sensitive data ranging from academic research, to unreleased movie content, to matters of national and global security.”
IBM has provided patches to resolve this issue, and while at the time of writing MWR has not tested the effectiveness of these patches, it is recommended that they are applied.
About MWR InfoSecurity:
Established in 2003, MWR is an independent cyber security consultancy delivering research-led cyber security for clients around the globe.
It provides specialist advice and solutions in all areas of security, from professional and managed services, through to developing commercial and open source security tools. It focuses on working with clients to develop and deliver security programs, tailored to meet the needs of each individual organisation.
In a rapidly changing technology landscape, innovation is essential and its ambition to push boundaries sets it apart. Evidence of this approach is well documented on its dedicated research and development platform, MWR Labs.
Central to MWR’s philosophy is the desire to deliver high quality cyber security consulting services and unsurpassed levels of support to clients.
Most Commented Posts
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Celebrating Data Privacy Day – 28th January 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Most Active Commenters
Meta’s fine over data privacy breaches underscores the critical challenges…
Hi, Thanks, that is really useful information. I do have…
“This is a very worrying attack that hit T-Mobile and…
“This latest cyberattack against T-Mobile may be smaller than previous…
“Genesis Market is a complex global criminal access marketplace. Buyers…