EGI SVG Advisories

Advisory-SVG-CVE-2019-18823

Title:   EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] MODERATE Risk
         Vulnerabilities in HTCondor CVE-2019-18823 [EGI-SVG-CVE-2019-18823]

Date:    2020-03-23
Updated: 2020-04-08, 2020-04-16, 2020-04-30

Affected software and risk
==========================

4 vulnerabilities have been found in HTCondor by the HTCondor team, 3 of which
are relevant to the EGI infrastructure.
 These have been assessed by EGI SVG as MODERATE risk.

Package : HTCondor
CVE ID  : CVE-2019-18823


**UPDATE 2020-04-30** Advisory placed on public wiki

**UPDATE 2020-04-16** Patches are now available in the EGI UMD.

**UPDATE 2020-04-08** Patches are now available in the HTCondor repository, and
an announcement has been made by the HTCondor team**

Information is available from the HTCondor team below.

Actions required/recommended
============================

Sites running HTCondor are recommended to update HTCondor package to version
8.8.8 (stable), 8.9.6 (devel) or later as soon as is convenient.

Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites
is repository.egi.eu which contains the EGI Unified Middleware Distribution
(UMD).

Sites using the EGI UMD 4 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-4/

The fixed version of HTCondor is available in UMD-4.10.2

http://repository.egi.eu/2020/04/15/release-umd-4-10-2/

Sites may also update from the HTCondor page if they wish.

Affected software details
=========================

All Versions of HTCondor before 8.8.8 (stable) and 8.9.6 (devel)

Information from HTCondor team
==============================

Subject: HTCondor Security Release: 8.8.8 and 8.9.6

The HTCondor team is pleased to announce the release of HTCondor 8.8.8 and
HTCondor 8.9.6.

These releases contain important fixes for security issues.
Affected users should update as soon as possible.

More details on the security issues are in the Vulnerability Reports:
[R 1], [R 2], [R 3], [R 4]

Downloads Page:
http://htcondor.org/downloads/

Thank you for your interest in HTCondor!

- The HTCondor Team

Summary description of Vulnerabilities from the OSG team
=========================================================

WHAT ARE THE VULNERABILITIES:

In the first vulnerability [R 1] a piece of secret information is written in
the clear to the STARTD_HISTORY file.  An attacker could use this secret
information to control the slot of another user, including running their own
code as that user.
This vulnerability affects execution nodes.

In the second vulnerability [R 2] a piece of secret information is sent over
the network in the clear if the administrator has not enabled daemon-to-daemon
encryption. For pools configured without daemon-to-daemon encryption, an
attacker could use this secret information to control the slot of another user,
including running their own code as that user. This vulnerability affects both
execution and submit nodes.

The third vulnerability [R 3] allows a user with read-only authorization to
access the job queue to perform write operations under their identity,
including submitting new jobs. If CLAIMTOBE is part of the READ authentication
methods, then the user is able to impersonate any other user when modifying the
job queue. This includes submitting and running jobs as any other user. By
default, CLAIMTOBE is included in the list of methods for READ access. This
vulnerability affects submit nodes.

The fourth vulnerability [R 4] affects Windows hosts. The condor_shadow will
send a user's password to anyone who can present credentials that authenticate
them as the condor service.
As a result of this, if you have a mixed pool consisting of Windows submit
machines and Linux execute hosts, the Linux condor_starter will write the
user's Windows password into a file on the execute machine (which requires root
access to read).  This vulnerability only affects Windows nodes.

TLP and URL
===========

** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for distribution restrictions **

URL:   https://advisories.egi.eu/Advisory-SVG-CVE-2019-18823

Minor updates may be made without re-distribution to the sites

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to

report-vulnerability at egi.eu

the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 5]

Note that this is undergoing revision to fully handle vulnerabilities in the
EOSC-hub era.

References
==========

[R 1] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0001.html

[R 2] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0002.html

[R 3] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0003.html

[R 4] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0004.html

[R 5] https://documents.egi.eu/public/ShowDocument?docid=3145

Credit
======

SVG was alerted to this vulnerability by Tim Theisen from HTCondor & Open Science Grid.

Timeline
========

Yyyy-mm-dd  [EGI-SVG-2020-CVE-2019-18823]

2020-03-19 (Late) SVG alerted to this issue by Tim Theisen from HTCondor & Open
           Science Grid.
2020-03-20 Acknowledgement from the EGI SVG to the reporter
2020-03-20 SVG drafts 'Heads up'
2020-03-23 'HEADS up' sent to sites
2020-04-07 Fixed version of HTCondor in HTCondor repository
2020-04-07 HTCondor team sent out announcements
2020-04-07 OSG team sent out announcements
2020-04-08 Advisory sent to sites
2020-04-16 Advisory updated as patched version is available in the UMD.
2020-04-30 Advisory placed on public wiki

Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 5] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.

-----------------------------
This advisory is subject to the Creative commons license
https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/
Software Vulnerability Group must be credited.
-----------------------------

Note that the SVG issue handling procedure is currently under review, to take
account of the increasing inhomogeneity of the EGI infrastructure and the
services in the EOSC-hub catalogue.

On behalf of the EGI SVG,