Difference between revisions of "SVG:Advisory-SVG-CVE-2019-18823"
Jump to navigation
Jump to search
Line 3: | Line 3: | ||
<pre> | <pre> | ||
This advisory is not | Title: EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] MODERATE Risk Vulnerabilities in HTCondor | ||
CVE-2019-18823 [EGI-SVG-CVE-2019-18823] | |||
Date: 2020-03-23 | |||
Updated: 2020-04-08, 2020-04-16, 2020-04-30 | |||
Affected software and risk | |||
========================== | |||
4 vulnerabilities have been found in HTCondor by the HTCondor team, 3 of which are relevant to the EGI infrastructure. | |||
These have been assessed by EGI SVG as MODERATE risk. | |||
Package : HTCondor | |||
CVE ID : CVE-2019-18823 | |||
**UPDATE 2020-04-30** Advisory placed on public wiki | |||
**UPDATE 2020-04-16** Patches are now available in the EGI UMD. | |||
**UPDATE 2020-04-08** Patches are now available in the HTCondor repository, and an announcement has been made by the HTCondor team** | |||
Information is available from the HTCondor team below. | |||
Actions required/recommended | |||
============================ | |||
Sites running HTCondor are recommended to update HTCondor package to version 8.8.8 (stable), 8.9.6 (devel) or later as soon as is convenient. | |||
Component installation information | |||
================================== | |||
The official repository for the distribution of grid middleware for EGI sites is | |||
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). | |||
Sites using the EGI UMD 4 should see: | |||
http://repository.egi.eu/category/umd_releases/distribution/umd-4/ | |||
The fixed version of HTCondor is available in UMD-4.10.2 | |||
http://repository.egi.eu/2020/04/15/release-umd-4-10-2/ | |||
Sites may also update from the HTCondor page if they wish. | |||
Affected software details | |||
========================= | |||
All Versions of HTCondor before 8.8.8 (stable) and 8.9.6 (devel) | |||
Information from HTCondor team | |||
============================== | |||
Subject: HTCondor Security Release: 8.8.8 and 8.9.6 | |||
The HTCondor team is pleased to announce the release of HTCondor 8.8.8 and HTCondor 8.9.6. | |||
These releases contain important fixes for security issues. | |||
Affected users should update as soon as possible. | |||
More details on the security issues are in the Vulnerability Reports: | |||
[R 1], [R 2], [R 3], [R 4] | |||
Downloads Page: | |||
http://htcondor.org/downloads/ | |||
Thank you for your interest in HTCondor! | |||
- The HTCondor Team | |||
Summary description of Vulnerabilities from the OSG team | |||
========================================================= | |||
WHAT ARE THE VULNERABILITIES: | |||
In the first vulnerability [R 1] a piece of secret information is written in the clear to the STARTD_HISTORY file. | |||
An attacker could use this secret information to control the slot of another user, including running their own code as that user. | |||
This vulnerability affects execution nodes. | |||
In the second vulnerability [R 2] a piece of secret information is sent over the network in the clear if the administrator has not enabled | |||
daemon-to-daemon encryption. For pools configured without daemon-to-daemon encryption, an attacker could use this secret information to | |||
control the slot of another user, including running their own code as that user. This vulnerability affects both execution and submit nodes. | |||
The third vulnerability [R 3] allows a user with read-only authorization to access the job queue to perform write operations under their identity, | |||
including submitting new jobs. If CLAIMTOBE is part of the READ authentication methods, then the user is able to impersonate any other user when | |||
modifying the job queue. This includes submitting and running jobs as any other user. By default, CLAIMTOBE is included in the list of methods | |||
for READ access. This vulnerability affects submit nodes. | |||
The fourth vulnerability [R 4] affects Windows hosts. The condor_shadow will send a user's password to anyone who can present credentials | |||
that authenticate them as the condor service. | |||
As a result of this, if you have a mixed pool consisting of Windows submit machines and Linux execute hosts, the Linux condor_starter will | |||
write the user's Windows password into a file on the execute machine (which requires root access to read). | |||
This vulnerability only affects Windows nodes. | |||
TLP and URL | |||
=========== | |||
** WHITE information - Unlimited distribution | |||
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2019-18823 | |||
Minor updates may be made without re-distribution to the sites | |||
Comments | |||
======== | |||
Comments or questions should be sent to svg-rat at mailman.egi.eu | |||
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to | |||
report-vulnerability at egi.eu | |||
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 5] | |||
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. | |||
References | |||
========== | |||
[R 1] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0001.html | |||
[R 2] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0002.html | |||
[R 3] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0003.html | |||
[R 4] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0004.html | |||
[R 5] https://documents.egi.eu/public/ShowDocument?docid=3145 | |||
Credit | |||
====== | |||
SVG was alerted to this vulnerability by Tim Theisen from HTCondor & Open Science Grid. | |||
Timeline | |||
======== | |||
Yyyy-mm-dd [EGI-SVG-2020-CVE-2019-18823] | |||
2020-03-19 (Late) SVG alerted to this issue by Tim Theisen from HTCondor & Open Science Grid. | |||
2020-03-20 Acknowledgement from the EGI SVG to the reporter | |||
2020-03-20 SVG drafts 'Heads up' | |||
2020-03-23 'HEADS up' sent to sites | |||
2020-04-07 Fixed version of HTCondor in HTCondor repository | |||
2020-04-07 HTCondor team sent out announcements | |||
2020-04-07 OSG team sent out announcements | |||
2020-04-08 Advisory sent to sites | |||
2020-04-16 Advisory updated as patched version is available in the UMD. | |||
2020-04-30 Advisory placed on public wiki | |||
Context | |||
======= | |||
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose | |||
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities" | |||
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 5] | |||
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, | |||
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments | |||
depending on how the software is used. | |||
----------------------------- | |||
This advisory is subject to the Creative commons license https://creativecommons.org/licenses/by/4.0/ and | |||
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. | |||
----------------------------- | |||
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of | |||
the EGI infrastructure and the services in the EOSC-hub catalogue. | |||
On behalf of the EGI SVG, | |||
</pre> | </pre> |
Latest revision as of 10:49, 30 April 2020
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-CVE-2019-18823
Title: EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] MODERATE Risk Vulnerabilities in HTCondor CVE-2019-18823 [EGI-SVG-CVE-2019-18823] Date: 2020-03-23 Updated: 2020-04-08, 2020-04-16, 2020-04-30 Affected software and risk ========================== 4 vulnerabilities have been found in HTCondor by the HTCondor team, 3 of which are relevant to the EGI infrastructure. These have been assessed by EGI SVG as MODERATE risk. Package : HTCondor CVE ID : CVE-2019-18823 **UPDATE 2020-04-30** Advisory placed on public wiki **UPDATE 2020-04-16** Patches are now available in the EGI UMD. **UPDATE 2020-04-08** Patches are now available in the HTCondor repository, and an announcement has been made by the HTCondor team** Information is available from the HTCondor team below. Actions required/recommended ============================ Sites running HTCondor are recommended to update HTCondor package to version 8.8.8 (stable), 8.9.6 (devel) or later as soon as is convenient. Component installation information ================================== The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). Sites using the EGI UMD 4 should see: http://repository.egi.eu/category/umd_releases/distribution/umd-4/ The fixed version of HTCondor is available in UMD-4.10.2 http://repository.egi.eu/2020/04/15/release-umd-4-10-2/ Sites may also update from the HTCondor page if they wish. Affected software details ========================= All Versions of HTCondor before 8.8.8 (stable) and 8.9.6 (devel) Information from HTCondor team ============================== Subject: HTCondor Security Release: 8.8.8 and 8.9.6 The HTCondor team is pleased to announce the release of HTCondor 8.8.8 and HTCondor 8.9.6. These releases contain important fixes for security issues. Affected users should update as soon as possible. More details on the security issues are in the Vulnerability Reports: [R 1], [R 2], [R 3], [R 4] Downloads Page: http://htcondor.org/downloads/ Thank you for your interest in HTCondor! - The HTCondor Team Summary description of Vulnerabilities from the OSG team ========================================================= WHAT ARE THE VULNERABILITIES: In the first vulnerability [R 1] a piece of secret information is written in the clear to the STARTD_HISTORY file. An attacker could use this secret information to control the slot of another user, including running their own code as that user. This vulnerability affects execution nodes. In the second vulnerability [R 2] a piece of secret information is sent over the network in the clear if the administrator has not enabled daemon-to-daemon encryption. For pools configured without daemon-to-daemon encryption, an attacker could use this secret information to control the slot of another user, including running their own code as that user. This vulnerability affects both execution and submit nodes. The third vulnerability [R 3] allows a user with read-only authorization to access the job queue to perform write operations under their identity, including submitting new jobs. If CLAIMTOBE is part of the READ authentication methods, then the user is able to impersonate any other user when modifying the job queue. This includes submitting and running jobs as any other user. By default, CLAIMTOBE is included in the list of methods for READ access. This vulnerability affects submit nodes. The fourth vulnerability [R 4] affects Windows hosts. The condor_shadow will send a user's password to anyone who can present credentials that authenticate them as the condor service. As a result of this, if you have a mixed pool consisting of Windows submit machines and Linux execute hosts, the Linux condor_starter will write the user's Windows password into a file on the execute machine (which requires root access to read). This vulnerability only affects Windows nodes. TLP and URL =========== ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2019-18823 Minor updates may be made without re-distribution to the sites Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 5] Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. References ========== [R 1] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0001.html [R 2] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0002.html [R 3] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0003.html [R 4] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0004.html [R 5] https://documents.egi.eu/public/ShowDocument?docid=3145 Credit ====== SVG was alerted to this vulnerability by Tim Theisen from HTCondor & Open Science Grid. Timeline ======== Yyyy-mm-dd [EGI-SVG-2020-CVE-2019-18823] 2020-03-19 (Late) SVG alerted to this issue by Tim Theisen from HTCondor & Open Science Grid. 2020-03-20 Acknowledgement from the EGI SVG to the reporter 2020-03-20 SVG drafts 'Heads up' 2020-03-23 'HEADS up' sent to sites 2020-04-07 Fixed version of HTCondor in HTCondor repository 2020-04-07 HTCondor team sent out announcements 2020-04-07 OSG team sent out announcements 2020-04-08 Advisory sent to sites 2020-04-16 Advisory updated as patched version is available in the UMD. 2020-04-30 Advisory placed on public wiki Context ======= This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose "To minimize the risk to the EGI infrastructure arising from software vulnerabilities" The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 5] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. ----------------------------- This advisory is subject to the Creative commons license https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. ----------------------------- Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue. On behalf of the EGI SVG,