On Windows, the condor_shadow will send a user's password to anyone who can present credentials that authenticate them as the condor service.

As a result of this, if you have a mixed pool consisting of Windows submit machines and Linux execute hosts, the Linux condor_starter will write the user's Windows password into a file on the execute machine (which requires root access to read). CVE-2019-18823

Component Vulnerable Versions Platform Availability Fix Available
condor_shadow All before 8.8.8 (stable) and 8.9.6 (devel) Windows not known to be publicly exploited 8.8.8, 8.9.6
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified can authenticate to the condor_shadow as the condor service any host high high
Fixed Date Credit
2020-03-01 TJ Knoeller

Access Required:

If an attacker were able to gain access to the credentials used to authenticate the condor daemons, and has network access to a submit machine, they could use those credentials to query the condor_shadow running a job on a Windows machine to obtain a user's password (if the user has stored their password using condor_store_cred).

Effort Required:


A thorough understanding of the HTCondor code and the ability to write custom tools is required to exploit this vulnerability, plus the need to have access to the condor daemon's credentials.



Users' passwords can be obtained by someone with access to the condor credentials.

This also means that in a mixed Windows/Linux pool, the Linux condor_starter (which has condor credentials) can fetch the user's password from a Windows submit machine and then writes the unencrypted password to a file. However, this file is only readable by root and is deleted when the job completes.



Full Details:

Embargoed until future notice.