CONDOR-2012-0001


Summary:

 

A malicious user can crash the condor_schedd, causing a denial of service to other submitters. CVE-2011-4930


Component Vulnerable Versions Platform Availability Fix Available
condor_schedd 7.2.0 - 7.6.4 all not known to be publicly available 7.6.5
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified any person who can submit condor jobs   low medium
Fixed Date Credit
2011-Nov-23 Dan Bradley
Condor team

Access Required:

any person who can submit condor jobs

The vulnerability requires the user to be able to submit jobs to Condor.

Effort Required:

low

To exploit this, an attacker just needs to be able to submit a malicious job to a Condor system, and subsequently place the job on hold.

Impact/Consequences:

medium

If an attacker is successfully able to submit a malicious job, they can cause the condor_schedd to crash by placing the job on hold and providing an appropriate string as the reason. Causing the condor_schedd to crash affects other users of the same system, thus causing this to be a Denial Of Service attack.

Full Details:

 

Condor is a batch system used for submitting and executing jobs and is often is run as a service for multiple users. One malicious user can, using this security flaw, deny access to other users of the same system by repeatedly crashing the condor_schedd.

To do so a user must submit a job that uses an XML user log, and then place the job on hold specifying a reason on the command line that contains printf-style formatting characters such as "%n".

Cause:

injection

When writing the hold reason to the log, an improperly coded printf statement allows the end user to specify a string that is interpreted as a format string.

Proposed Fix:

 

Use the "%s" format specifier for printf. This code was added in commit [28429]

Actual Fix:

 

As proposed.