At the beginning of March I second time moved to Switzerland (because of my work at CERN). Before that I was working in Wroclaw Center for Networking and Supercomputing in security team. In the middle of one pentesting work me and my friends (Bartek Balcerek and Maciej Kotowicz) discovered very nice vulnerability in the TORQUE server.

TORQUE (Terascale Open-Source Resource and Queue Manager) is very common in any GRID projects – including GRID in European Organization for Nuclear Research aka CERN 🙂 By using this bug attacker are able to create dirty job and put it to the queue and server responsible for executing this job will be hacked. This is very dangerous situation from the infrastructure – in the easiest way noone else will be able to use GRID resources. In worst situation we are able to overtake control on the edge machine which can manipulate any other machine – of course server is running with the root privileges 😉

Here is advisory in full-disclosure list.

Here is backup on my server.

 

Best regards,

Adam Zabrocki

 

Comments

Leave a Reply




CAPTCHA * Time limit is exhausted. Please reload the CAPTCHA.