Command injection vulnerability spotted in IBM's GPFS

IBM's General Parallel File System (GPFS), also known as Spectrum Scale, has a serious vulnerability, allowing attackers to execute commands as root, across the cluster.

The information was disclosed by security researchers at MWR Labs, who said the implications are ‘immense’.

Explaining the vulnerability, MWR InfoSecurity managing director John Fitzpatrick said the problem lies in a failure to safely handle arguments, supplied to a number of setuid binaries.

“By exploiting the vulnerability, an attacker can gain root access to execute commands across all nodes in the GPFS cluster, and therefore gain full administrative access to affected systems,” he said.

“Having done so, the implications can be immense; systems with a need for parallel file systems are typically used to process or store extremely sensitive data ranging from academic research, to unreleased movie content, to matters of national and global security.”

The issue has since been resolved by IBM, by issuing a patch. MWR Labs, however, have not yet tested the patch and were not able to verify its effectiveness. Still, the researchers advise everyone to apply the patch.

In case the patch could not be applied, MWR has released some workarounds, which can be found in an advisory on this link. An IBM advisory relating to this issue can be found here.

Image Credit: majestic b / Shutterstock