HTCONDOR-2021-0001

CVE-2021-25312

When a user is authenticating to a daemon using IDTOKENS it is possible for them to impersonate other users and/or the "condor" service itself.

Login

An attacker must only be able to authenticate (as any user) to a condor_schedd process. IDTOKENS is enabled by default; this exploit could be performed by any user who is able to login to the SchedD machine. Any type of authentication can be used including the default methods such as "FS" (on Linux) or NTSSPI (on Windows)

Low

Any user who can authenticate to a condor_schedd can use command line tools supplied with HTCondor to obtain a valid IDTOKEN. With low effort they could then create a custom tool to connect to the condor_schedd to impersonate another user or the "condor" service.

High

This allows a user to impersonate any other or the "condor" service.

This would allow the user to submit a job as another user on the system, which could potentially run processes as that user and read/write files belonging to that user.

By impersonating the "condor" service, the attacker could turn off or potentially reconfigure the HTCondor daemons.

If you do not need to use IDTOKENS, you can disable that authentication method by specifying a list of authentication mechanisms that does not include it.

On Linux, you would want to set, e.g., (removing any other methods you did not want to use):

SEC_DEFAULT_AUTHENTICATION_METHODS = FS,PASSWORD,SSL,GSI,KERBEROS,MUNGE

On Windows, you would want to set, e.g., (removing any other methods you did not want to use):

SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI,PASSWORD,SSL,KERBEROS

You should also check your configuration for other places you may have explicitly set the list of methods:

condor_config_val -dump AUTHENTICATION_METHODS

After making any changes, you will need to run

condor_reconfig