SB2020052230 - Authentication bypass in Slurm
Published: May 22, 2020 Updated: September 14, 2020
Security Bulletin ID
SB2020052230
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2020-12693)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to a race condition during authentication process, if Message Aggregation is enabled. A remote non-authenticated attacker can send specially crafted request to the application, bypass authentication process and execute arbitrary code on the system.
Remediation
Install update from vendor's website.
References
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KNL5E5SK4WP6M3DKU4IKW2NPQD2XTZ4Y/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3RGQB3EWDLOLTSPAJPPWZEPQK3O3AUH/
- https://lists.schedmd.com/pipermail/slurm-announce/2020/000036.html
- https://www.schedmd.com/news.php?id=236