HTCONDOR-2020-0002


Summary:

 

A piece of secret information is sent over the network in the clear if the administrator has not enabled daemon-to-daemon encryption. For pools configured without daemon-to-daemon encryption, an attacker could use this secret information to control the slot of another user, including running their own code as that user. CVE-2019-18823


Component Vulnerable Versions Platform Availability Fix Available
condor_startd All before 8.8.8 (stable) and 8.9.6 (devel) all not known to be publicly exploited 8.8.8, 8.9.6
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified ability to capture traffic between submit and execute machines N/A high high
Fixed Date Credit
2020-03-01 Todd Tannenbaum

Access Required:

Be able to capture network traffic between a condor_schedd and a condor_startd. The condor_config settings must also be configured with no daemon-to-daemon encryption (the default) and match password authentication enabled (the default) to be vulnerable.

Effort Required:

high

A thorough understanding of the HTCondor code and the ability to write custom tools is required to exploit this vulnerability. If authentication has been set up for the pool and match password authentication is disabled, the attacker would also need to gain access to the condor credentials. If encryption has also been set up for the pool, you are not vulnerable.

Impact/Consequences:

high

Using the secret information, an attacker could manipulate another user's running job, including evicting that job or replacing that job with one that executes the attacker's own code. This could possibly allow the attacker to get access to the user's job data files which may contain sensitive information. Pools that are not configured to use daemon-to-daemon authentication or have match password authentication enabled (the default), and also are not using daemon-to-daemon encryption are vulnerable.

Workaround:

Depending on your site configuration, the workaround for this issue may be quite complicated and involve setting up authentication mechanisms that were not previous configured. We highly recommend upgrading to the latest version if at all possible, in which case you do not need to work around the issue as the new binaries are no longer vulnerable to this issue.

To work around this issue, the administrator will first need to make sure that all daemon-to-daemon communication is authenticated. How this works varies significantly depending on your site configuration. Please consult the HowTo here:

https://htcondor-wiki.cs.wisc.edu/index.cgi/wiki?p=EnablingAuthenticationCveTwo

After enabling authentication, the administrator can then do one of two things:

  1. Configure execute machines to require encryption for daemon-to-daemon communications by setting "SEC_DAEMON_ENCRYPTION=REQUIRED" in your HTCondor config file on all execute machines.
  2. Disable match password authentication. To disable match password authentication, set "SEC_ENABLE_MATCH_PASSWORD_AUTHENTICATION=False" in your HTCondor config file on all execute machines. Be advised that disabling match password authentication can put significant extra load on the submit machines of a large pool (thousands of nodes).

After installing updated binaries or working around the issue, you should restart HTCondor.

Full Details:

Embargoed until future notice.