Grid Security Vulnerability Group - Advisory

-- Topic:          Possible Privilege escalation inside Torque
-- Date:           2009-05-11
-- ID:	           Grid Vulnerability Savannah bug #42652

-- Background


Torque is an open-source batch scheduling system developed by the
Cluster Resources Inc. [1] and widely deployed across the EGEE Grid.

-- Vulnerability Details

Privilege escalation is possible within Torque in certain circumstances,
including escalation to root privilege.

-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group considers this issue to be 'Moderate'
risk and recommends that all sites upgrade the relevant components.


-- Component and Installation information for gLite 3.1

Installation instructions for gLite 3.1 are available at: 

http://glite.org/glite/packages/R3.1/updates.asp 

-- gLite 3.1 release number

gLite 3.1 update 60


-- Component and Installation information for gLite 3.2

Installation instructions for gLite 3.2 are available at: 

http://glite.org/glite/packages/R3.2/updates.asp 


-- gLite 3.2 release number 

gLite 3.2 update 07



-- Precautionary measures or checks

The vulnerability would be mitigated by setting the system limit NPROC
(the maximum number of processes per user) to a very high value.

-- Other information

Although it might be possible to escalate to root, this issue was only
considered 'moderate' risk, as an exploit would depend on circumstances
that were deemed rare at best.

-- Credit
This vulnerability was initially reported by Eygene Ryabinkin



-- Disclosure Timeline
Yyyy-mm-dd

2008-10-09 Vulnerability reported by Eygene Ryabinkin
2008-10-27 Initial response from the Grid Security Vulnerability Group
2009-11-15 Updated gLite packages available
2010-01-11 Updates released
2010-01-11 Public disclosure

-- References

[1] http://www.clusterresources.com/pages/products/torque-resource-manager.php

==========================================================================