It was discovered [1] that the Linux kernel modules esp4, esp6 and rxrpc contain a logic flaw allowing a local attacker to escalate privileges to root. All Qlustar 13 and 14 Ubuntu releases are vulnerable to this bug. On Qlustar 13 Ubuntu releases the public exploit does not work though. To mitigate the issue until kernel updates are made available please proceed as follows:
On the head-node execute:
$ cat > /etc/qlustar/common/rc.boot/01-remove-vulnerable-kernel-modules << EOF #!/bin/bash modules_to_be_removed="esp4 esp6 rxrpc" for mod in $modules_to_be_removed; do mod_paths=$(find /usr/lib/modules/$(uname -r) -name "$mod.*") if [ -n "$mod_paths" ]; then echo "Found vulnerable kernel module $mod ==> Removing it" echo $mod_paths | xargs rm -f fi rmmod $mod > /dev/null 2>&1 done EOF
$ chmod 755 /etc/qlustar/common/rc.boot/01-remove-vulnerable-kernel-modules
Then on all running cluster nodes including the head-node execute:
$ /etc/qlustar/common/rc.boot/01-remove-vulnerable-kernel-modules
These changes will prevent loading the faulty kernel modules, which are not needed on any standard Qlustar HPC/AI/Storage cluster setup.
-
no-reply-list@qlustar.org