When authenticating to an HTCondor daemon using a SciToken, a user may be granted authorizations beyond what the token should allow.
| Component | Vulnerable Versions | Platform | Availability | Fix Available |
|---|---|---|---|---|
| All daemons | 9.0.0 and above | All | Not known to be publicly exploited | 9.0.4, 9.1.2 |
| Status | Access Required | Host Type Required | Effort Required | Impact/Consequences |
| Verified | Possession of a certain type of SciToken | Any | Low | Medium |
| Fixed Date | Credit | |||
| 2021-07-27 | Jeny Teheran |
An attacker needs to have a SciToken with certain attributes that HTCondor will interpret as having more capabilities than it should.
Effort Required: LowThese types of tokens required to exploit this vulnerability can be obtained using standard methods and do not require custom tools or modifications to the token.
Impact/Consequences Required: MediumExploiting this vulnerability could allow a user to perform actions that they should not be allowed to do, such as submitting a job.
Workaround:You can work around this issue by not allowing SciTokens as an authentication method. This means overriding the list of authentication methods (which includes SciTokens by default) by setting SEC_DEFAULT_AUTHENTICATION_METHODS to all the methods you would actually like to use. To simply remove SciTokens, set it to "FS,TOKEN,KERBEROS,GSI,SSL".
Full Details:Embargoed until future notice.