HTCONDOR-2020-0004
Summary: |
|
||||||||||||||||||||||||
On Windows, the condor_shadow will send a user's password to anyone who can present credentials that authenticate them as the condor service. As a result of this, if you have a mixed pool consisting of Windows submit machines and Linux execute hosts, the Linux condor_starter will write the user's Windows password into a file on the execute machine (which requires root access to read). CVE-2019-18823 |
|||||||||||||||||||||||||
| |||||||||||||||||||||||||
Access Required: |
|
||||||||||||||||||||||||
If an attacker were able to gain access to the credentials used to authenticate the condor daemons, and has network access to a submit machine, they could use those credentials to query the condor_shadow running a job on a Windows machine to obtain a user's password (if the user has stored their password using condor_store_cred). |
|||||||||||||||||||||||||
Effort Required: |
high |
||||||||||||||||||||||||
A thorough understanding of the HTCondor code and the ability to write custom tools is required to exploit this vulnerability, plus the need to have access to the condor daemon's credentials. |
|||||||||||||||||||||||||
Impact/Consequences: |
high |
||||||||||||||||||||||||
Users' passwords can be obtained by someone with access to the condor credentials. This also means that in a mixed Windows/Linux pool, the Linux condor_starter (which has condor credentials) can fetch the user's password from a Windows submit machine and then writes the unencrypted password to a file. However, this file is only readable by root and is deleted when the job completes. |
|||||||||||||||||||||||||
Workaround: |
|||||||||||||||||||||||||
None |
|||||||||||||||||||||||||
Full Details: |
Embargoed until future notice. | ||||||||||||||||||||||||