CVE-2013-4495
published 2013-11-20CVE-2013-4495: The send_the_mail function in server/svr_mail.c in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) before 4.2.6 allows remote…
PriorityP258critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
3.27%
86.8th percentile
The send_the_mail function in server/svr_mail.c in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) before 4.2.6 allows remote attackers to execute arbitrary commands via shell metacharacters in the email (-M switch) to qsub.
Affected
77 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adaptivecomputing | torque_resource_manager | <= 4.2.5 | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
| adaptivecomputing | torque_resource_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for shell metacharacters in the email address field (-M switch) passed to qsub, which are forwarded to popen() in send_the_mail() within server/svr_mail.c ↗
- →Alert on pbs_server process spawning unexpected child processes or shell commands, as exploitation results in arbitrary code execution as root via popen() with user-supplied email address strings ↗
- →Flag TORQUE versions prior to 4.2.6 (including 3.0.x branch) as vulnerable; the fix replaced popen() with fork+exec to sendmail, so unpatched instances will use popen() for mail delivery ↗
- →Look for the string 'TRQ-2310' or 'CVE 2013-4495' in TORQUE release notes/changelogs to confirm whether a deployment has been patched ↗
- ·Exploitation requires authentication; the attacker must be able to submit jobs (authenticated qsub user), so this is not an unauthenticated remote attack despite the NVD description saying 'remote attackers' ↗
- ·The 3.0.x branch of TORQUE is no longer supported upstream; deployments on that branch require backported patches or upgrade to 4.2.6+ ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6xr2-x79f-r46g: The send_the_mail function in server/svr_mail
ghsa_unreviewed·2022-05-17
CVE-2013-4495 [HIGH] CWE-94 GHSA-6xr2-x79f-r46g: The send_the_mail function in server/svr_mail
The send_the_mail function in server/svr_mail.c in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) before 4.2.6 allows remote attackers to execute arbitrary commands via shell metacharacters in the email (-M switch) to qsub.
OSV
CVE-2013-4495: The send_the_mail function in server/svr_mail
osv·2013-11-20·CVSS 10.0
CVE-2013-4495 [CRITICAL] CVE-2013-4495: The send_the_mail function in server/svr_mail
The send_the_mail function in server/svr_mail.c in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) before 4.2.6 allows remote attackers to execute arbitrary commands via shell metacharacters in the email (-M switch) to qsub.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-4495 torque: arbitrary code execution via job submission [fedora-all]
bugzilla·2013-11-13·CVSS 10.0
CVE-2013-4495 [CRITICAL] CVE-2013-4495 torque: arbitrary code execution via job submission [fedora-all]
CVE-2013-4495 torque: arbitrary code execution via job submission [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue af
Bugzilla
CVE-2013-4495 torque: arbitrary code execution via job submission [epel-all]
bugzilla·2013-11-13·CVSS 10.0
CVE-2013-4495 [CRITICAL] CVE-2013-4495 torque: arbitrary code execution via job submission [epel-all]
CVE-2013-4495 torque: arbitrary code execution via job submission [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue
Bugzilla
CVE-2013-4495 torque: arbitrary code execution via job submission
bugzilla·2013-11-05·CVSS 10.0
CVE-2013-4495 [CRITICAL] CVE-2013-4495 torque: arbitrary code execution via job submission
CVE-2013-4495 torque: arbitrary code execution via job submission
The TORQUE pbs_server daemon was found to pass some user-input data to popen() in order to send an email. Because pbs_server runs as root, this could allow an authenticated attacker to execute arbitrary code on the pbs_server host with root privileges.
The upstream 4.2.6 release corrects this flaw by forking and calling exec() to the sendmail program instead of passing the entire user-supplied string to popen().
Acknowledgements:
Red Hat would like to thank David Beer of Adaptive Computer for reporting this issue. Upstream acknowledges Matt Ezell of Oak Ridge National Labs as the original reporter.
Discussion:
This issue is now public:
https://www.adaptivecomputing.com/wp-content/uploads/releasenotes/releaseNotes-4.2
http://secunia.com/advisories/55535http://secunia.com/advisories/55622https://www.adaptivecomputing.com/wp-content/uploads/releasenotes/releaseNotes-4.2.6.htmlhttps://www.debian.org/security/2013/dsa-2796http://secunia.com/advisories/55535http://secunia.com/advisories/55622https://www.adaptivecomputing.com/wp-content/uploads/releasenotes/releaseNotes-4.2.6.htmlhttps://www.debian.org/security/2013/dsa-2796
2013-11-20
Published