HTCONDOR-2020-0003


Summary:

 

A user with read-only authorization to access the job queue is able to perform write operations under their identity, including submitting new jobs. If CLAIMTOBE is part of the READ authentication methods, then the user is able to impersonate any other user when modifying the job queue. This includes submitting and running jobs as any other user. By default, CLAIMTOBE is included in the list of methods for READ access. CVE-2019-18823


Component Vulnerable Versions Platform Availability Fix Available
condor_schedd All before 8.8.8 (stable) and 8.9.6 (devel) all not known to be publicly exploited 8.8.8, 8.9.6
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified can authenticate to SchedD using any method in the READ list submit host medium high
Fixed Date Credit
2020-03-01 Zach Miller

Access Required:

This vulnerability allows a user to submit a job as long as they can authenticate using one of the methods in the SEC_READ_AUTHENTICATION_LIST of the SchedD and are authorized by the ALLOW_READ setting. Note that they must still authenticate. However, the user can perform write operations even if the ALLOW_WRITE authorization setting would normally disallow them. Also, if the list of SEC_WRITE_AUTHENTICATION_METHODS is more restrictive in types of methods used, the user can circumvent the stronger security by using a perhaps weaker method from the READ list. If the READ list also contains CLAIMTOBE, the attacker can now submit a job as any user. In a default installation, CLAIMTOBE is part of the list of methods allowed for READ operations.

Effort Required:

medium

A thorough understanding of the HTCondor code and the ability to write custom tools is required to exploit this vulnerability.

Impact/Consequences:

high

The configuration that is most vulnerable includes the CLAIMTOBE option as part of the SEC_READ_AUTHENTICATION_METHODS. This is the default. If you have set your own value for SEC_READ_AUTHENTICATION_METHODS, and it does not include CLAIMTOBE, then you are not vulnerable.

Workaround:

Ideally, update your installation and you will not need to change any configuration.

Alternatively, you can change your configuration to not use CLAIMTOBE in your authentication methods. Explicitly exclude CLAIMTOBE by setting SEC_READ_AUTHENTICATION_METHODS if you haven't already. The full list of methods by default should be (on Linux) "FS,TOKEN,KERBEROS,GSI,SSL" or (on Windows) "NTSSPI,TOKEN,SSL". In the 8.8.X series you should exclude "TOKEN". You may wish to also exclude other methods you know you are not using.

Full Details:

Embargoed until future notice.