Security Bulletin: GPFS security vulnerabilities in IBM SONAS (CVE-2016-0392)

Summary

A fix is available for IBM SONAS, for GPFS security vulnerability

Vulnerability Details

IBM General Parallel File System (GPFS) is a high-performance clustered file system. It is used in IBM SONAS.

CVEID: CVE-2016-0392**
DESCRIPTION:** IBM General Parallel File System could allow a local attacker to inject commands into setuid file parameters and execute commands as root.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112611 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM SONAS
The product is affected when running code releases 1.5.0.0 to 1.5.2.4

Remediation/Fixes

A fix for these issues is in version 1.5.2.5 of IBM SONAS. Customers running an affected version of SONAS should upgrade to 1.5.2.5 or a later version, so that the fix gets applied.

Please contact IBM support for assistance in upgrading your system.

Workarounds and Mitigations

Workaround : Is to remove the setuid from the files in the /usr/lpp/mmfs/bin directory. Determine the set of files with setuid bit by running

ls -l /usr/lpp/mmfs/bin | grep r-s

Then reset the setuid bit for each such file by issuing this command on each file

chmod u-s file

Mitigation : None