CONDOR-2008-0002


Summary:

 

If a server is using IP based authentication, in certain configurations the set of IP addresses that are allowed can be more permissive than expected when denying IP addresses. This can allow an attacker to perform actions against the Condor daemon that should not be allowed.


Component Vulnerable Versions Platform Availability Fix Available
all Condor daemons 6.8.0 - 6.8.8
7.0.0 - 7.0.4
7.1.0 - 7.1.2
all not known to be publicly exploited 6.8.9
7.0.5
7.1.3
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified remote ordinary user with no condor authorization any high high
Fixed Date Credit
2008-Oct-07 Dan Bradley
Zach Miller

Access Required:

remote ordinary user with no condor authorization

If the configuration is such that this vulnerability is triggered, then in the worst case an attacker can exploit this vulnerability if they can connect to the host running the condor daemon.

Effort Required:

high

This requires that an attacker be able to modify the configuration of the condor daemons, or that the administrator of the system configured the system using certain sets of IP address based authentication.

Impact/Consequences:

high

Depending upon the configuration this vulnerability could allow an attacker administrative access to the machine.

Full Details:

 

If multiple IP address ranges are specified and the netmask is not the same in each all the IP address ranges will be ignored. In the case of HOSTALLOW options this will make the list of hosts that can perform the operation more restrictive than expected, but in the case of HOSTDENY options it will make the list of IP addresses that can perform the operation less restrictive.

In the example below, machines with IP address in the range 192.168.0.0 to 192.168.0.255 and 10.0.0.0 to 10.0.255.255 should not be allowed to perform adminstrative commands, but this will not be the case:


        HOSTDENY_ADMINISTRATOR = 192.168.0.* 10.0.*
  

Instead no hosts will be denied, since the netmask portion of the 192.168.0.* is 24 bits while the network portion of 10.0.* is 16 bits.

Cause:

logic error

Coding error.

Actual Fix:

 

The code was fixed to treat each specified network/netmask pair individually and to not ignore them if the number of bits in the netmask varied.