HTCondor Vulnerability Reports


CONDOR-2005-0001
Condor checkpoint server allows reading and writing of arbitrary files with the permissions of the condor_ckpt_server's effective uid (normally the "condor" user) from a remote machine with no special privileges. This can result in checkpoints being replaced with malicious versions, reconfiguring condor if the "condor" user owns the configuration files, or gaining access to system files which may aid in other attacks.
CONDOR-2005-0003
Arbitrary commands can be executed with the permissions of the condor_shadow or condor_gridmanager's effective uid (normally the "condor" user). This can result in a compromise of the condor configuration files, log files, and other files owned by the "condor" user. This may also aid in attacks on other accounts.
CONDOR-2005-0004
Arbitrary configuration options can be set if a user has access to the "condor" user account that Condor components run as, even if all the configuration files are owned by root. This can lead to a denial of service, or a complete root compromise of the system if the condor_master is started as root.
CONDOR-2006-0003
In the rare configuration that CLASSAD_SCRIPT_DIRECTORY is set in the Condor configuration, arbitrary commands can be executed with the permissions of the condor_negotiator and condor_shadow's effective uid (normally the "condor" user). This can result in a compromise of the condor configuration files, log files, and other files owned by the "condor" user. This may also aid in attacks on other accounts.
CONDOR-2006-0004
In the rare configuration that CLASSAD_SCRIPT_DIRECTORY is set in the Condor configuration, arbitrary executables can be executed with the permissions of the condor_negotiator and condor_shadow's effective uid (normally the "condor" user). This can result in a compromise of the condor configuration files, log files, and other files owned by the "condor" user. This may also aid in attacks on other accounts.
CONDOR-2006-0005
A user that is able to submit a Condor job can modify jobs or add arbitrary jobs to the job queue if they can force a restart of the condor_schedd to which they submit jobs. The user has complete control of the job attributes, including the user and executable.
CONDOR-2006-0006
The use of FS or FS_REMOTE authentication methods can result in a spoofing of identity if an attacker has access to the file system used to perform the authentication.
CONDOR-2006-0007
Condor users can use public key certificates as a means of authentication when using the GSI or SSL authentication methods. It is possible to spoof a signature if a PKCS #1 1.5 signature with an RSA key of exponent 3 is used. This can lead to identity spoofing through the use of a malformed signature. The use of this particular type of key seems to be rare.
CONDOR-2006-0008
On Windows platforms and potentially some old versions of UNIX, if the persistent configuration changes are allowed, then it is possible that an attacker may be able to change the configuration of the machine, which could lead to a root compromise. Persistent configuration changes through the use of condor_config_val is disabled by default, which prevents this vulnerability.
CONDOR-2006-0009
It is possible to update a class ad in the collector, such that the contents of the class ad can cause a buffer in the condor_negotiator to overflow. This can result in a crash, or potentially a root compromise of the condor_negotiator. This compromise requires the user to be able to use the condor_advertise command. This is the case for ordinary users, if host-based authorization is used on machines running Condor daemons, which includes all submission and execution hosts.
CONDOR-2008-0001
It is possible for a user that can submit jobs to a condor_schedd to modify arbitrary attributes of the job, including attributes an ordinary user should not be able to modify. For instance, a user can change the owner of their job to run as any non-root user.
CONDOR-2008-0002
If a server is using IP based authentication, in certain configurations the set of IP addresses that are allowed can be more permissive than expected when denying IP addresses. This can allow an attacker to perform actions against the Condor daemon that should not be allowed.
CONDOR-2008-0003
User supplied input to condor_qedit can cause the condor_schedd to crash or potentially allow the execution of arbitrary code.
CONDOR-2008-0004
User supplied input to condor_qedit can cause the condor_schedd to crash and not be able to recover.
CONDOR-2009-0001
An ordinary user that can submit jobs to a Condor system can modify any of the attributes of its Condor job. This in turn can be used to compromise other users' jobs, which can lead to a complete compromise of the local accounts in the Condor system other than the local privileged accounts (root on POSIX systems and local\Administrator on Windows).
CONDOR-2012-0001
A malicious user can crash the condor_schedd, causing a denial of service to other submitters.
CONDOR-2012-0002
A malicious user can potentially circumvent host-based authorization controls.
CONDOR-2012-0003
A user can potentially submit jobs which run code locally on the submit machine as root.