When a user authenticates to an HTCondor daemon using the CLAIMTOBE method, the user can then impersonate any entity when issuing additional commands to that daemon.
|Not known to be publicly exploited
|8.8.16, 9.0.10, 9.6.0
|Host Type Required
|READ access to any daemon
|Submit or Execute host
An attacker need only have READ-level authorization to a vulnerable daemon using the CLAIMTOBE authentication method. This means they are able to run tools like condor_q or condor_status. Many pools do not restrict who can issue READ-level commands, and CLAIMTOBE is allowed for READ-level commands in the default configuration. Thus, it is likely that an attacker could execute this command remotely from an untrusted network, unless prevented by a firewall or other network-level access controls.Effort Required: Medium
An attacker would need to write custom tools and be familiar with HTCondor's internal communication APIs to carry out a successful attack.Impact/Consequences Required: High
This attack allows a user to impersonate any user, administrator, or daemon, and issue any command they are authorized for to the vulnerable daemon.Workaround:
Upgrading all HTCondor daemons to version 8.8.16, 9.0.10, or 9.6.0 fully addresses this vulnerability.
If upgrading isn't possible, you can work around this issue by not allowing the CLAIMTOBE authentication method. This means overriding the default list of authentication methods for READ authorization (which includes CLAIMTOBE by default). On linux and macOS, add this to your configuration files:
SEC_READ_AUTHENTICATION_METHODS = FS,IDTOKENS,KERBEROS,SCITOKENS,SSL
On Windows, add this to your configuration files:
SEC_READ_AUTHENTICATION_METHODS = NTSSPI,IDTOKENS,KERBEROS,SCITOKENS,SSL
If you installed HTCondor with the
SEC_READ_AUTHENTICATION_METHODS has already been
set to exclude CLAIMTOBE.
You must also check the other
configuration parameters and ensure that CLAIMTOBE isn't mentioned.
If the following command doesn't print any output, then you are safe:
condor_config_val -summary | grep -i CLAIMTOBE
Embargoed until future notice.