A running condor_credd daemon can be instructed to create or write certain files as root that are outside of the directory specified by the parameter "SEC_CREDENTIAL_DIRECTORY_OAUTH".

If you have not added the CREDD to your DAEMON_LIST, you are not vulnerable to this issue. (Keep in mind the CREDD is automatically added to the DAEMON_LIST if you have added "use feature:OAUTH")

Component Vulnerable Versions Platform Availability Fix Available
CredD 8.9.7 through 8.9.10 (inclusive) All Not known to be publicly exploited 8.9.11
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified Login Any Low High
Fixed Date Credit
2021-01-27 Dave Dykstra
Zach Miller

Access Required:


An attacker must only be able to authenticate (as any user) to the condor_credd process. By default, this can be done by any user who is able to login to the CredD machine. Any type of authentication can be used including the default methods such as "FS" (on Linux) or "NTSSPI" (on Windows)

Effort Required:


Any user can use command line tools supplied with HTCondor to convince the CredD to create or overwrite a file owned as root with contents specified by the attacker.



The file created by the attacker can be anywhere on the filesystem. The contents of the file can also be supplied by the attacker. The filename of the file created CANNOT be completely specified by the attacker. However, the file could be created in any number of places in /etc such the contents will be executed as root at some point.


Do not enable the condor_credd if you are not depending on it.

Full Details:

Embargoed until future notice.