CONDOR-2012-0003


Summary:

 

Condor installations that support Standard Universe jobs and run the daemons on the submit machine as root are vulnerable to local privilege escalation. If a user submits a job into the standard universe, the user job may then execute code on the submit machine as the root user. If your Condor installation does not contain the condor_shadow.std executable, then you are not affected by this vulnerability. CVE-2012-5390


Component Vulnerable Versions Platform Availability Fix Available
Condor standard universe shadow 7.7.3 to 7.7.6, 7.8.0 to 7.8.4, and 7.9.0 Linux not known to be publicly available 7.8.5
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified ability to submit jobs to the condor_schedd n/a low high
Fixed Date Credit
2012-Oct-22 Zach Miller
Condor team

Access Required:

ability to submit jobs

Any person who can submit standard universe jobs to the condor_schedd can exploit this. Submissions are authenticated and are typically done locally. However, if Condor is configured to allow remote submits, jobs submitted remotely into the standard universe can also exploit this.

Effort Required:

low

To exploit this, an attacker just needs to know the correct sequence of communications with the condor_shadow.std.

Impact/Consequences:

high

If an attacker is successfully able to communicate correctly with the condor_shadow.std, they may instruct the shadow to run arbitrary code as the root user, including spawning additional processes.

Cause:

Missing privilege check

Condor should never spawn user processes as root, and makes explicit checks in most places to ensure this never happens. In the standard universe shadow, an unrelated change opened a new code path where privilege checking did not exist.

Proposed Fix:

 

Remove the code, as it should never be used.

Actual Fix:

 

As proposed.

Workaround:

 

If you do not need to run standard universe jobs, simply delete the condor_shadow.std from your installation.