When a user authenticates to an HTCondor daemon using the CLAIMTOBE method, the user can then impersonate any entity when issuing additional commands to that daemon.

An attacker need only have READ-level authorization to a vulnerable daemon using the CLAIMTOBE authentication method. This means they are able to run tools like condor_q or condor_status. Many pools do not restrict who can issue READ-level commands, and CLAIMTOBE is allowed for READ-level commands in the default configuration. Thus, it is likely that an attacker could execute this command remotely from an untrusted network, unless prevented by a firewall or other network-level access controls.

An attacker would need to write custom tools and be familiar with HTCondor's internal communication APIs to carry out a successful attack.

This attack allows a user to impersonate any user, administrator, or daemon, and issue any command they are authorized for to the vulnerable daemon.

Upgrading all HTCondor daemons to version 8.8.16, 9.0.10, or 9.6.0 fully addresses this vulnerability.

If upgrading isn't possible, you can work around this issue by not allowing the CLAIMTOBE authentication method. This means overriding the default list of authentication methods for READ authorization (which includes CLAIMTOBE by default). On linux and macOS, add this to your configuration files:

SEC_READ_AUTHENTICATION_METHODS = FS,IDTOKENS,KERBEROS,SCITOKENS,SSL

On Windows, add this to your configuration files:

SEC_READ_AUTHENTICATION_METHODS = NTSSPI,IDTOKENS,KERBEROS,SCITOKENS,SSL

If you installed HTCondor with the get_htcondor tool, then SEC_READ_AUTHENTICATION_METHODS has already been set to exclude CLAIMTOBE.

You must also check the other SEC_<level>_AUTHENTICATION_METHODS configuration parameters and ensure that CLAIMTOBE isn't mentioned. If the following command doesn't print any output, then you are safe:

condor_config_val -summary | grep -i CLAIMTOBE

Embargoed until future notice.