CVE-2023-26031: Privilege escalation in Apache Haoop Yarn container-executor binary on Linux systems

[Masatake Iwasaki <iw...@apache.org>]

Severity: critical

Affected versions:

- Apache Hadoop 3.3.1 before 3.3.5

Description:

Relative library resolution in linux container-executor binary in
Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root
privileges. If the YARN cluster is accepting work from remote
(authenticated) users, this MAY permit remote users to gain root
privileges.

Hadoop 3.3.0 updated the " YARN Secure Containers
https://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html
" to add a feature for executing user-submitted applications in
isolated linux containers.

The native binary HADOOP_HOME/bin/container-executor is used to launch
these containers; it must be owned by root and have the suid bit set
in order for the YARN processes to run the containers as the specific
users submitting the jobs.

The patch " YARN-10495
https://issues.apache.org/jira/browse/YARN-10495 . make the rpath of
container-executor configurable" modified the library loading path for
loading .so files from "$ORIGIN/" to ""$ORIGIN/:../lib/native/". This
is the a path through which libcrypto.so is located. Thus it is is
possible for a user with reduced privileges to install a malicious
libcrypto library into a path to which they have write access, invoke
the container-executor command, and have their modified library
executed as root.
If the YARN cluster is accepting work from remote (authenticated)
users, and these users' submitted job are executed in the physical
host, rather than a container, then the CVE permits remote users to
gain root privileges.

The fix for the vulnerability is to revert the change, which is done
in  YARN-11441 https://issues.apache.org/jira/browse/YARN-11441 ,
"Revert YARN-10495". This patch is in hadoop-3.3.5.

To determine whether a version of container-executor is vulnerable,
use the readelf command. If the RUNPATH or RPATH value contains the
relative path "./lib/native/" then it  is at risk

$ readelf -d container-executor|grep 'RUNPATH\|RPATH'
0x000000000000001d (RUNPATH)            Library runpath:
[$ORIGIN/:../lib/native/]

If it does not, then it is safe:

$ readelf -d container-executor|grep 'RUNPATH\|RPATH'
0x000000000000001d (RUNPATH)            Library runpath: [$ORIGIN/]

For an at-risk version of container-executor to enable privilege
escalation, the owner must be root and the suid bit must be set

$ ls -laF /opt/hadoop/bin/container-executor
---Sr-s---. 1 root hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor

A safe installation lacks the suid bit; ideally is also not owned by root.

$ ls -laF /opt/hadoop/bin/container-executor
-rwxr-xr-x. 1 yarn hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor

This configuration does not support Yarn Secure Containers, but all
other hadoop services, including YARN job execution outside secure
containers continue to work.

This issue is being tracked as YARN-11441

Required Configurations:

The owner of the container-executor binary must be set to "root" and
suid set bit such that callers would execute the binary as root. These
operations are a requirement for "YARN Secure Containers".

In an installation using the hadoop.tar.gz file the binary's owner is
that of the installing user, and without the suid permission is not at
risk.

However, Apache BIgtop installations set the owner and permissions
such that installations may be vulnerable

The container-executor binary is only vulnerable on some Hadoop/Bigtop
releases. It is possible to verify whether a version is vulnerable
using the readelf command.

Work Arounds:

*  Upgrade to Apache Hadoop 3.3.5
*  If Yarn Secure Containers are not required, remove all execute
permissions on bin/container-executor ; change its owner from root, or
simply delete it.
*  If Yarn Secure Containers are required on a vulnerable release and
upgrade is not possible, replace the container-executor binary with
that of the 3.3.5 release.

As most Hadoop installations do not use Yarn Secure Containers,
removing execute permissions from the container-executor binary a is
sufficient to secure the systems; deletion ensures that no security
scanners will report the issue.

Credit:

Esa Hiltunen (finder)
Mikko Kortelainen (finder)
The Teragrep Project (sponsor)

References:

https://issues.apache.org/jira/browse/YARN-11441
https://hadoop.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-26031

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
For additional commands, e-mail: user-help@hadoop.apache.org