When authenticating to an HTCondor daemon using a SciToken, a user may be granted authorizations beyond what the token should allow.
|Component||Vulnerable Versions||Platform||Availability||Fix Available|
|All daemons||9.0.0 and above||All||Not known to be publicly exploited||9.0.4, 9.1.2|
|Status||Access Required||Host Type Required||Effort Required||Impact/Consequences|
|Verified||Possession of a certain type of SciToken||Any||Low||Medium|
An attacker needs to have a SciToken with certain attributes that HTCondor will interpret as having more capabilities than it should.Effort Required: Low
These types of tokens required to exploit this vulnerability can be obtained using standard methods and do not require custom tools or modifications to the token.Impact/Consequences Required: Medium
Exploiting this vulnerability could allow a user to perform actions that they should not be allowed to do, such as submitting a job.Workaround:
You can work around this issue by not allowing SciTokens as an authentication method. This means overriding the list of authentication methods (which includes SciTokens by default) by setting SEC_DEFAULT_AUTHENTICATION_METHODS to all the methods you would actually like to use. To simply remove SciTokens, set it to "FS,TOKEN,KERBEROS,GSI,SSL".Full Details:
Embargoed until future notice.