HTCondor Authorization Bypass Vulnerability

An authorization bypass vulnerability has been identified in HTCondor versions 23.0.x prior to 23.0.22, 23.10.x prior to 23.10.22, 24.0.x prior to 24.0.6, and 24.6.x prior to 24.6.1. This vulnerability allows authenticated attackers to bypass authorization restrictions, enabling them to perform operations that should be denied based on their authorization level. The vulnerability affects all daemons on all platforms.

Impact

Exploitation of this vulnerability allows authenticated users to perform actions granted by their HTCondor identity, bypassing authorization restrictions. This access level is comparable to that provided by most other authentication methods available in HTCondor.

Remediation

Users can upgrade to HTCondor versions 23.0.22, 23.10.22, 24.0.6 or 24.6.1 to fully address this vulnerability. If upgrading is not possible, IDTokens issued by a daemon can be constrained to have no authorizations by adding specific limits to the HTCondor configuration files. If there is a suspicion that this vulnerability has already been exploited, it is recommended to replace all IDToken signing keys, issue new tokens, and contact the HTCondor security team.