HTCondor
Overview
Download
Documentation
Release Highlights
Release Schedule

HTCondor-CE
Overview
Download
Documentation
Release Highlights

General
News
Security
Documentation
Download

Documentation
HTCondor
HTCondor-CE

Support
HTCSS Contract Support
Community Mailing List
External Support Organizations

Email Lists
Users / Help
World / Announcements

Workshops
Throughput Computing 2024
Materials from past Workshops

HTCSS
What is HTCSS?
Logos

CHTC
Website ⬏
Staff ⬏
Jobs ⬏
Research & Publications ⬏

HTCONDOR-2020-0004

Summary:

On Windows, the condor_shadow will send a user's password to anyone who can present credentials that authenticate them as the condor service.

As a result of this, if you have a mixed pool consisting of Windows submit machines and Linux execute hosts, the Linux condor_starter will write the user's Windows password into a file on the execute machine (which requires root access to read). CVE-2019-18823

Component	Vulnerable Versions	Platform	Availability	Fix Available
condor_shadow	All before 8.8.8 (stable) and 8.9.6 (devel)	Windows	not known to be publicly exploited	8.8.8, 8.9.6
Status	Access Required	Host Type Required	Effort Required	Impact/Consequences
Verified	can authenticate to the condor_shadow as the condor service	any host	high	high
Fixed Date	Credit
2020-03-01	TJ Knoeller

Access Required:

If an attacker were able to gain access to the credentials used to authenticate the condor daemons, and has network access to a submit machine, they could use those credentials to query the condor_shadow running a job on a Windows machine to obtain a user's password (if the user has stored their password using condor_store_cred).

Effort Required:

high

A thorough understanding of the HTCondor code and the ability to write custom tools is required to exploit this vulnerability, plus the need to have access to the condor daemon's credentials.

Impact/Consequences:

high

Users' passwords can be obtained by someone with access to the condor credentials.

This also means that in a mixed Windows/Linux pool, the Linux condor_starter (which has condor credentials) can fetch the user's password from a Windows submit machine and then writes the unencrypted password to a file. However, this file is only readable by root and is deleted when the job completes.

Workaround:

None

Full Details:

Embargoed until future notice.

European HTCondor Workshop: Abstract Submission Open

Mining millions of genomes for the next powerful antibiotic

Collaborations Between Two National Laboratories and the OSG Consortium Propel Nuclear and High-Energy Physics Forward

NOAA funded marine scientist uses OSPool access to high throughput computing to explode her boundaries of research

Addressing the challenges of transferring large datasets with the OSDF

Learning and adapting with OSG: Investigating the strong nuclear force

What is HTCSS?

HTCONDOR-2020-0004