Condor condor_shadow.std Code Execution Vulnerability

by Carol~ Moderator - 1/15/13 11:25 AM

In Reply to: VULNERABILITIES / FIXES - January 15, 2013 by Carol~ Moderator

Release Date : 2013-01-15

Criticality level : Less critical
Impact : System access
Where : From local network
Solution Status : Vendor Patch

Software: Condor 7.x

Description:
A vulnerability has been reported in Condor, which can be exploited by malicious users to compromise a vulnerable system.

The vulnerability is caused due to the application spawning user processes as root, which can be exploited to execute arbitrary code with root privileges.

Successful exploitation requires ability to submit jobs to condor_schedd.

The vulnerability is reported in versions 7.7.3 to 7.7.6 and 7.8.0 to 7.8.5.

Solution:
Update to version 7.8.6.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://research.cs.wisc.edu/htcondor/security/vulnerabilities/CONDOR-2012-0003.html

http://secunia.com/advisories/51862/