HTCondor
Overview
Download
Documentation
Release Highlights
Release Schedule

HTCondor-CE
Overview
Download
Documentation
Release Highlights

General
News
Security
Documentation
Download

Documentation
HTCondor
HTCondor-CE

Support
HTCSS Contract Support
Community Mailing List
External Support Organizations

Email Lists
Users / Help
World / Announcements

Workshops
Throughput Computing 2024
Materials from past Workshops

HTCSS
What is HTCSS?
Logos

CHTC
Website ⬏
Staff ⬏
Jobs ⬏
Research & Publications ⬏

CONDOR-2006-0007

Summary:

Condor users can use public key certificates as a means of authentication when using the GSI or SSL authentication methods. It is possible to spoof a signature if a PKCS #1 1.5 signature with an RSA key of exponent 3 is used. This can lead to identity spoofing through the use of a malformed signature. The use of this particular type of key seems to be rare.

Component	Vulnerable Versions	Platform	Availability	Fix Available
all Condor daemons	all 6.6 & 6.7 6.8.0	all	not known to be publicly available	6.8.1 -
Status	Access Required	Host Type Required	Effort Required	Impact/Consequences
Verified	remote ordinary user	any host	med	high
Fixed Date	Credit
2006-Sep-19	n/a

Access Required:

remote ordinary user

This vulnerability requires network access to Condor daemons, that Condor be configured to use certificate based authentication, and that the certificates use an RSA key of exponent 3.

Effort Required:

med

To exploit this vulnerability requires the use of a GSI or SSL authentication method with a certificate using an RSA key with exponent 3. If one of these certificates is used, it is relatively easy to spoof the signature. This type of certificate seems to be rarely used.

Impact/Consequences:

high

If this type of certificate is used, the impact can be high because any user except root can potentially be spoofed.

References:

CVE-2006-4339
OpenSSL Security Advisory

Full Details:

See references.

Cause:

3rd party security flaw

The cause of this is a vulnerability in the OpenSSL library used by Condor.

Proposed Fix:

Upgrade OpenSSL library, or apply the patch from OpenSSL.

Actual Fix:

OpenSSL patch was applied.

Acknowledgment:

This research funded in part by National Science Foundation under subcontract with San Diego Supercomputer Center.

European HTCondor Workshop: Abstract Submission Open

Mining millions of genomes for the next powerful antibiotic

Collaborations Between Two National Laboratories and the OSG Consortium Propel Nuclear and High-Energy Physics Forward

NOAA funded marine scientist uses OSPool access to high throughput computing to explode her boundaries of research

Addressing the challenges of transferring large datasets with the OSDF

Learning and adapting with OSG: Investigating the strong nuclear force

What is HTCSS?

CONDOR-2006-0007