When authenticating to an HTCondor daemon using a SciToken, a user may be granted authorizations beyond what the token should allow.
|9.0.0 and above
|Not known to be publicly exploited
|Host Type Required
|Possession of a certain type of SciToken
An attacker needs to have a SciToken with certain attributes that HTCondor will interpret as having more capabilities than it should.Effort Required: Low
These types of tokens required to exploit this vulnerability can be obtained using standard methods and do not require custom tools or modifications to the token.Impact/Consequences Required: Medium
Exploiting this vulnerability could allow a user to perform actions that they should not be allowed to do, such as submitting a job.Workaround:
You can work around this issue by not allowing SciTokens as an authentication method. This means overriding the list of authentication methods (which includes SciTokens by default) by setting SEC_DEFAULT_AUTHENTICATION_METHODS to all the methods you would actually like to use. To simply remove SciTokens, set it to "FS,TOKEN,KERBEROS,GSI,SSL".Full Details:
Embargoed until future notice.