CVE-2018-20871
📋 TL;DR
This vulnerability in Univa Grid Engine allows attackers to write files with weak permissions when Docker jobs and execd spooling are configured with root_squash. This can lead to privilege escalation or unauthorized file modifications. Systems running affected versions with Docker job support and execd spooling enabled are vulnerable.
💻 Affected Systems
- Univa Grid Engine
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through privilege escalation to root, allowing complete control over the Grid Engine cluster and underlying infrastructure.
Likely Case
Unauthorized file modifications leading to data corruption, service disruption, or lateral movement within the cluster environment.
If Mitigated
Limited impact if proper file permissions and access controls are enforced, though configuration weaknesses remain.
🎯 Exploit Status
Requires access to submit Docker jobs and knowledge of the specific configuration. No public exploits have been documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.6.3 or later (8.6.6 recommended)
Vendor Advisory: http://www.univa.com/resources/files/Release_Notes_Univa_Grid_Engine_8.6.6.pdf
Restart Required: Yes
Instructions:
1. Download Univa Grid Engine 8.6.6 or later from vendor. 2. Backup current configuration. 3. Stop all Grid Engine services. 4. Install the updated version. 5. Restart Grid Engine services. 6. Verify proper operation.
🔧 Temporary Workarounds
Disable Docker job support
linuxTemporarily disable Docker job functionality until patching is possible
# Edit Grid Engine configuration to remove Docker integration
# Consult Univa documentation for specific configuration changes
Adjust file permissions
linuxManually set proper file permissions on spool directories
chmod 755 /path/to/spool/directories
chown -R appropriate_user:appropriate_group /path/to/spool
🧯 If You Can't Patch
- Implement strict access controls to limit who can submit Docker jobs
- Monitor spool directories for unauthorized file modifications and set up alerts
🔍 How to Verify
Check if Vulnerable:
Check Grid Engine version and configuration: 1. Run 'qconf -sconf' to check configuration. 2. Verify if Docker integration is enabled. 3. Check execd spooling settings. 4. Confirm version is below 8.6.3.Check Version:
qconf -help | grep -i versionVerify Fix Applied:
1. Run 'qconf -sconf' to verify updated configuration. 2. Check version with 'qconf -help' or similar command. 3. Test Docker job submission with proper permissions. 4. Verify spool directory permissions are correct.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file writes in spool directories
- Failed permission checks in execd logs
- Unexpected Docker job submissions
Network Indicators:
- Unusual job submission patterns
- Suspicious connections to Grid Engine daemons
SIEM Query:
source="grid_engine" AND (event="permission_denied" OR event="unauthorized_write")