EGI SVG Advisories

Advisory-SVG-CVE-2021-45103

Title:   EGI SVG 'ADVISORY' [TLP:WHITE]  HTCondor Security Release: 
         8.8.16, 9.0.10, and 9.6.0  [EGI-SVG-CVE-2021-45103]  

Date:        2022-03-17
Updated:     
         
Affected software and risk
==========================

The HTCondor team have discovered and fixed three security vulnerabilities in HTCondor. 

Package    : HTCondor
Bug ID     : HTCONDOR-2022-01, HTCONDOR-2022-02, HTCONDOR-2022-03
CVE ID     : CVE-2021-45103, CVE-2021-45104, CVE-2022-26110

Note that only sites that are using HTCondor as their local batch system are 
likely to be affected.
Sites using the HTCondor CE are not likely to be affected.
Two of the vulnerabilities affect HTCondor features not used by the 
HTCondor-CE and the 3rd is not exploitable due to the HTCondor-CE's default 
configuration files.


Actions required/recommended
============================

Affected sites should upgrade as soon as they reasonably can. 

Component installation information
==================================

See information from the HTCondor team below.

Information from the HTCondor team 
================================== 

New versions of HTCondor have been released to address three security vulnerabilities.

## IMPACTED VERSIONS:
All versions prior to 8.8.16, 9.0.10, and 9.6.0

## WHAT ARE THE VULNERABILITIES:
There are three separate vulnerabilities addressed with these releases:

- (affects 8.9.4 and above) For jobs that request HTCondor to transfer files 
to or from S3 cloud storage, an attacker with either a.) login access to a 
SchedD or StartD machine or b.) READ access to SchedD can obtain pre-signed URLs. 
These pre-signed URLs can then be used to access the S3 file associated with 
each pre-signed URL with both read and write permissions. [1]

- (affects 8.9.3 and above) For communication between version 9 and version 8.8 
HTCondor daemons or for configurations using weak encryption protocols a piece 
of secret information may be sent over the network unencrypted.  An attacker with 
the ability to capture network traffic between SchedD, StartD, and/or Collector 
and with a good understanding of HTCondor network protocol could capture this 
secret and use it to manipulate running jobs, including executing arbitrary code 
in place of the running job. [2]

- (affects all versions) An attacker with READ access to HTCondor daemons and 
knowledge of HTCondor internal APIs can use the CLAIMTOBE authentication method 
to impersonate another user, administrator, or daemon. [3]

## WHAT YOU SHOULD DO:
All sites running HTCondor should update to one of the patched versions 
(8.8.16, 9.0.10, and 9.6.0) from the public repositories as soon as they 
are available. [4]

## REFERENCES
[1] https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2022-0001.html
[2] https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2022-0002.html 
[3] https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2022-0003.html 
[4] https://research.cs.wisc.edu/htcondor/repo/current/


TLP and URL
===========

** WHITE information - Unlimited distribution  - see 
   https://confluence.egi.eu/display/EGIG/Traffic+Light+Protocol 
   for distribution restrictions **  

Comments
========
Comments or questions should be sent to svg-rat  at  mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 99]

References
==========

[R 99] https://documents.egi.eu/public/ShowDocument?docid=3145

Credit
======

SVG was alerted to this vulnerability by Jaime Frey from the HTCondor team 


Timeline  
========
Yyyy-mm-dd  [EGI-SVG-2022-17600] 

2022-03-03 SVG alerted to this issue by Jaime Frey from the HTCondor team
2022-03-04 Acknowledgement from the EGI SVG to the reporter
2022-03-15 Updated/complete information provided 
2022-03-17 Advisory sent to sites


Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 99] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
-----------------------------
This advisory is subject to the Creative commons licence 
https://creativecommons.org/licenses/by/4.0/ 
and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. 
-----------------------------
On behalf of the EGI SVG,