CONDOR-2012-0001
Summary: |
|
||||||||||||||||||||||||
A malicious user can crash the condor_schedd, causing a denial of service to other submitters. CVE-2011-4930 |
|||||||||||||||||||||||||
| |||||||||||||||||||||||||
Access Required: |
any person who can submit condor jobs |
||||||||||||||||||||||||
The vulnerability requires the user to be able to submit jobs to Condor. |
|||||||||||||||||||||||||
Effort Required: |
low |
||||||||||||||||||||||||
To exploit this, an attacker just needs to be able to submit a malicious job to a Condor system, and subsequently place the job on hold. |
|||||||||||||||||||||||||
Impact/Consequences: |
medium |
||||||||||||||||||||||||
If an attacker is successfully able to submit a malicious job, they can cause the condor_schedd to crash by placing the job on hold and providing an appropriate string as the reason. Causing the condor_schedd to crash affects other users of the same system, thus causing this to be a Denial Of Service attack. |
|||||||||||||||||||||||||
Full Details: |
|
||||||||||||||||||||||||
Condor is a batch system used for submitting and executing jobs and is often is run as a service for multiple users. One malicious user can, using this security flaw, deny access to other users of the same system by repeatedly crashing the condor_schedd. To do so a user must submit a job that uses an XML user log, and then place the job on hold specifying a reason on the command line that contains printf-style formatting characters such as "%n". |
|||||||||||||||||||||||||
Cause: |
injection |
||||||||||||||||||||||||
When writing the hold reason to the log, an improperly coded printf statement allows the end user to specify a string that is interpreted as a format string. |
|||||||||||||||||||||||||
Proposed Fix: |
|
||||||||||||||||||||||||
Use the "%s" format specifier for printf. This code was added in commit [28429] |
|||||||||||||||||||||||||
Actual Fix: |
|
||||||||||||||||||||||||
As proposed. |