HTCONDOR-2022-0003


Summary:

When a user authenticates to an HTCondor daemon using the CLAIMTOBE method, the user can then impersonate any entity when issuing additional commands to that daemon.

Component Vulnerable Versions Platform Availability Fix Available
All daemons All versions All platforms Not known to be publicly exploited 8.8.16, 9.0.10, 9.6.0
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified READ access to any daemon Submit or Execute host Medium High
Fixed Date Credit
2022-03-15 Jaime Frey
Access Required: READ access to any daemon

An attacker need only have READ-level authorization to a vulnerable daemon using the CLAIMTOBE authentication method. This means they are able to run tools like condor_q or condor_status. Many pools do not restrict who can issue READ-level commands, and CLAIMTOBE is allowed for READ-level commands in the default configuration. Thus, it is likely that an attacker could execute this command remotely from an untrusted network, unless prevented by a firewall or other network-level access controls.

Effort Required: Medium

An attacker would need to write custom tools and be familiar with HTCondor's internal communication APIs to carry out a successful attack.

Impact/Consequences Required: High

This attack allows a user to impersonate any user, administrator, or daemon, and issue any command they are authorized for to the vulnerable daemon.

Workaround:

Upgrading all HTCondor daemons to version 8.8.16, 9.0.10, or 9.6.0 fully addresses this vulnerability.

If upgrading isn't possible, you can work around this issue by not allowing the CLAIMTOBE authentication method. This means overriding the default list of authentication methods for READ authorization (which includes CLAIMTOBE by default). On linux and macOS, add this to your configuration files:

SEC_READ_AUTHENTICATION_METHODS = FS,IDTOKENS,KERBEROS,SCITOKENS,SSL

On Windows, add this to your configuration files:

SEC_READ_AUTHENTICATION_METHODS = NTSSPI,IDTOKENS,KERBEROS,SCITOKENS,SSL

If you installed HTCondor with the get_htcondor tool, then SEC_READ_AUTHENTICATION_METHODS has already been set to exclude CLAIMTOBE.

You must also check the other SEC_<level>_AUTHENTICATION_METHODS configuration parameters and ensure that CLAIMTOBE isn't mentioned. If the following command doesn't print any output, then you are safe:

condor_config_val -summary | grep -i CLAIMTOBE

Full Details:

Embargoed until future notice.