Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:Advisory-SVG-CVE-2019-18823"

From EGIWiki
Jump to navigation Jump to search
 
Line 3: Line 3:
<pre>
<pre>


This advisory is not public yet.
Title:      EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] MODERATE Risk Vulnerabilities in HTCondor
CVE-2019-18823 [EGI-SVG-CVE-2019-18823]
 
Date:        2020-03-23
Updated:    2020-04-08, 2020-04-16, 2020-04-30
 
Affected software and risk
==========================
 
4 vulnerabilities have been found in HTCondor by the HTCondor team, 3 of which are relevant to the EGI infrastructure.
These have been assessed by EGI SVG as MODERATE risk.
 
Package : HTCondor
CVE ID  : CVE-2019-18823
 
 
**UPDATE 2020-04-30** Advisory placed on public wiki
 
**UPDATE 2020-04-16** Patches are now available in the EGI UMD.
 
**UPDATE 2020-04-08** Patches are now available in the HTCondor repository, and an announcement has been made by the HTCondor team**
 
Information is available from the HTCondor team below.
 
Actions required/recommended
============================
 
Sites running HTCondor are recommended to update HTCondor package to version 8.8.8 (stable), 8.9.6 (devel) or later as soon as is convenient.
 
Component installation information
==================================
 
The official repository for the distribution of grid middleware for EGI sites is
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
Sites using the EGI UMD 4 should see:
 
http://repository.egi.eu/category/umd_releases/distribution/umd-4/
 
The fixed version of HTCondor is available in UMD-4.10.2
 
http://repository.egi.eu/2020/04/15/release-umd-4-10-2/
 
Sites may also update from the HTCondor page if they wish.
 
Affected software details
=========================
 
All Versions of HTCondor before 8.8.8 (stable) and 8.9.6 (devel)
 
Information from HTCondor team
==============================
 
Subject: HTCondor Security Release: 8.8.8 and 8.9.6
 
The HTCondor team is pleased to announce the release of HTCondor 8.8.8 and HTCondor 8.9.6.
 
These releases contain important fixes for security issues.
Affected users should update as soon as possible.
 
More details on the security issues are in the Vulnerability Reports:
[R 1], [R 2], [R 3], [R 4]
 
Downloads Page:
http://htcondor.org/downloads/
 
Thank you for your interest in HTCondor!
 
- The HTCondor Team
 
Summary description of Vulnerabilities from the OSG team
=========================================================
 
WHAT ARE THE VULNERABILITIES:
 
In the first vulnerability [R 1] a piece of secret information is written in the clear to the STARTD_HISTORY file.
An attacker could use this secret information to control the slot of another user, including running their own code as that user.
This vulnerability affects execution nodes.
 
In the second vulnerability [R 2] a piece of secret information is sent over the network in the clear if the administrator has not enabled
daemon-to-daemon encryption. For pools configured without daemon-to-daemon encryption, an attacker could use this secret information to
control the slot of another user, including running their own code as that user. This vulnerability affects both execution and submit nodes.
 
The third vulnerability [R 3] allows a user with read-only authorization to access the job queue to perform write operations under their identity,
including submitting new jobs. If CLAIMTOBE is part of the READ authentication methods, then the user is able to impersonate any other user when
modifying the job queue. This includes submitting and running jobs as any other user. By default, CLAIMTOBE is included in the list of methods
for READ access. This vulnerability affects submit nodes.
 
The fourth vulnerability [R 4] affects Windows hosts. The condor_shadow will send a user's password to anyone who can present credentials
that authenticate them as the condor service.
As a result of this, if you have a mixed pool consisting of Windows submit machines and Linux execute hosts, the Linux condor_starter will
write the user's Windows password into a file on the execute machine (which requires root access to read).
This vulnerability only affects Windows nodes.
 
TLP and URL
===========
 
** WHITE information - Unlimited distribution
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** 
 
URL:  https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2019-18823 
 
Minor updates may be made without re-distribution to the sites
 
Comments
========
 
Comments or questions should be sent to svg-rat  at  mailman.egi.eu
 
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to 
 
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 5] 
 
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era.
 
References
==========
 
[R 1] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0001.html
 
[R 2] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0002.html
 
[R 3] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0003.html
 
[R 4] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0004.html
 
[R 5] https://documents.egi.eu/public/ShowDocument?docid=3145
 
Credit
======
 
SVG was alerted to this vulnerability by Tim Theisen from HTCondor & Open Science Grid.
 
Timeline 
========
Yyyy-mm-dd  [EGI-SVG-2020-CVE-2019-18823]
 
2020-03-19 (Late) SVG alerted to this issue by Tim Theisen from HTCondor & Open Science Grid.
2020-03-20 Acknowledgement from the EGI SVG to the reporter
2020-03-20 SVG drafts 'Heads up'
2020-03-23 'HEADS up' sent to sites
2020-04-07 Fixed version of HTCondor in HTCondor repository
2020-04-07 HTCondor team sent out announcements
2020-04-07 OSG team sent out announcements
2020-04-08 Advisory sent to sites
2020-04-16 Advisory updated as patched version is available in the UMD.
2020-04-30 Advisory placed on public wiki
 
Context
=======
 
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"
 
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 5] 
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group,
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments
depending on how the software is used. 
 
-----------------------------
This advisory is subject to the Creative commons license https://creativecommons.org/licenses/by/4.0/ and
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited.
-----------------------------
 
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of
the EGI infrastructure and the services in the EOSC-hub catalogue.
 
On behalf of the EGI SVG,


Sites were updated on 8th April 2020


</pre>
</pre>

Latest revision as of 10:49, 30 April 2020

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-CVE-2019-18823



Title:       EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] MODERATE Risk Vulnerabilities in HTCondor
CVE-2019-18823 [EGI-SVG-CVE-2019-18823] 

Date:        2020-03-23
Updated:     2020-04-08, 2020-04-16, 2020-04-30

Affected software and risk
==========================

4 vulnerabilities have been found in HTCondor by the HTCondor team, 3 of which are relevant to the EGI infrastructure. 
 These have been assessed by EGI SVG as MODERATE risk.

Package : HTCondor
CVE ID  : CVE-2019-18823 


**UPDATE 2020-04-30** Advisory placed on public wiki

**UPDATE 2020-04-16** Patches are now available in the EGI UMD.

**UPDATE 2020-04-08** Patches are now available in the HTCondor repository, and an announcement has been made by the HTCondor team** 

Information is available from the HTCondor team below.

Actions required/recommended
============================

Sites running HTCondor are recommended to update HTCondor package to version 8.8.8 (stable), 8.9.6 (devel) or later as soon as is convenient. 

Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
 
Sites using the EGI UMD 4 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-4/

The fixed version of HTCondor is available in UMD-4.10.2

http://repository.egi.eu/2020/04/15/release-umd-4-10-2/

Sites may also update from the HTCondor page if they wish.

Affected software details
=========================

All Versions of HTCondor before 8.8.8 (stable) and 8.9.6 (devel)

Information from HTCondor team
==============================

Subject: HTCondor Security Release: 8.8.8 and 8.9.6

The HTCondor team is pleased to announce the release of HTCondor 8.8.8 and HTCondor 8.9.6.

These releases contain important fixes for security issues.
Affected users should update as soon as possible.

More details on the security issues are in the Vulnerability Reports:
[R 1], [R 2], [R 3], [R 4]

Downloads Page:
http://htcondor.org/downloads/

Thank you for your interest in HTCondor!

- The HTCondor Team

Summary description of Vulnerabilities from the OSG team
=========================================================

WHAT ARE THE VULNERABILITIES:

In the first vulnerability [R 1] a piece of secret information is written in the clear to the STARTD_HISTORY file. 
An attacker could use this secret information to control the slot of another user, including running their own code as that user. 
This vulnerability affects execution nodes. 

In the second vulnerability [R 2] a piece of secret information is sent over the network in the clear if the administrator has not enabled 
daemon-to-daemon encryption. For pools configured without daemon-to-daemon encryption, an attacker could use this secret information to 
control the slot of another user, including running their own code as that user. This vulnerability affects both execution and submit nodes.

The third vulnerability [R 3] allows a user with read-only authorization to access the job queue to perform write operations under their identity, 
including submitting new jobs. If CLAIMTOBE is part of the READ authentication methods, then the user is able to impersonate any other user when 
modifying the job queue. This includes submitting and running jobs as any other user. By default, CLAIMTOBE is included in the list of methods 
for READ access. This vulnerability affects submit nodes.

The fourth vulnerability [R 4] affects Windows hosts. The condor_shadow will send a user's password to anyone who can present credentials 
that authenticate them as the condor service.
As a result of this, if you have a mixed pool consisting of Windows submit machines and Linux execute hosts, the Linux condor_starter will 
write the user's Windows password into a file on the execute machine (which requires root access to read). 
This vulnerability only affects Windows nodes.

TLP and URL
===========

** WHITE information - Unlimited distribution 
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **  

URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2019-18823   

Minor updates may be made without re-distribution to the sites

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 5]  

Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. 

References
==========

[R 1] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0001.html

[R 2] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0002.html

[R 3] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0003.html

[R 4] http://htcondor.org/security/vulnerabilities/HTCONDOR-2020-0004.html

[R 5] https://documents.egi.eu/public/ShowDocument?docid=3145

Credit
======

SVG was alerted to this vulnerability by Tim Theisen from HTCondor & Open Science Grid.

Timeline  
========
Yyyy-mm-dd  [EGI-SVG-2020-CVE-2019-18823] 

2020-03-19 (Late) SVG alerted to this issue by Tim Theisen from HTCondor & Open Science Grid.
2020-03-20 Acknowledgement from the EGI SVG to the reporter
2020-03-20 SVG drafts 'Heads up'
2020-03-23 'HEADS up' sent to sites
2020-04-07 Fixed version of HTCondor in HTCondor repository
2020-04-07 HTCondor team sent out announcements
2020-04-07 OSG team sent out announcements
2020-04-08 Advisory sent to sites
2020-04-16 Advisory updated as patched version is available in the UMD.
2020-04-30 Advisory placed on public wiki

Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 5]  
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, 
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments 
depending on how the software is used.   

-----------------------------
This advisory is subject to the Creative commons license https://creativecommons.org/licenses/by/4.0/ and 
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. 
-----------------------------

Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of 
the EGI infrastructure and the services in the EOSC-hub catalogue.

On behalf of the EGI SVG,
Retrieved from "https://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2019-18823&oldid=111558"