CVE-2019-18823 – This vulnerability in HTCondor allows attackers... (How to Fix)

Q: What is the severity of CVE-2019-18823?

CVE-2019-18823 has a CVSS score of 9.8 (CRITICAL). This vulnerability in HTCondor allows attackers to bypass configured authentication methods and impersonate other users when submitting or removing jobs. It affects HTCondor administrators who have configured READ or WRITE methods to include CLAIMTOBE authentication. The flaw enables unauthorized job manipulation in the condor_schedd service.

📋 TL;DR

This vulnerability in HTCondor allows attackers to bypass configured authentication methods and impersonate other users when submitting or removing jobs. It affects HTCondor administrators who have configured READ or WRITE methods to include CLAIMTOBE authentication. The flaw enables unauthorized job manipulation in the condor_schedd service.

💻 Affected Systems

Products:

HTCondor

Versions: Up to and including stable series 8.8.6 and development series 8.9.4

Operating Systems: Linux, Unix-like systems where HTCondor runs

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when administrators have configured READ or WRITE methods to include CLAIMTOBE authentication method.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the HTCondor cluster allowing attackers to submit malicious jobs, delete legitimate jobs, and potentially gain unauthorized access to computational resources and data.

🟠

Likely Case

Unauthorized job submission or removal, potentially disrupting workflows, consuming resources, or executing unauthorized code in the cluster environment.

🟢

If Mitigated

Limited impact with proper network segmentation and authentication controls, though the vulnerability still presents an authentication bypass risk.

🌐 Internet-Facing: HIGH if HTCondor services are exposed to the internet, as authentication bypass could allow remote attackers to compromise the cluster.

🏢 Internal Only: MEDIUM to HIGH depending on internal network security, as authenticated internal users could exploit this to escalate privileges or disrupt operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some authentication but bypasses intended restrictions; the vulnerability is well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 8.8.6 (stable) and 8.9.4 (development)

Vendor Advisory: https://research.cs.wisc.edu/htcondor/

Restart Required: Yes

Instructions:

1. Upgrade HTCondor to version 8.8.7 or later for stable series, or 8.9.5 or later for development series. 2. Restart all HTCondor services after upgrade. 3. Verify configuration changes if needed.

🔧 Temporary Workarounds

Remove CLAIMTOBE from authentication methods

linux

Modify HTCondor configuration to remove CLAIMTOBE from READ and WRITE authentication methods

Edit condor_config file and ensure READ and WRITE methods do not include CLAIMTOBE
Restart HTCondor services after configuration change

🧯 If You Can't Patch

Implement strict network access controls to limit HTCondor service exposure to trusted networks only
Monitor HTCondor logs for unauthorized job submissions or authentication anomalies

🔍 How to Verify

Check if Vulnerable:

Check HTCondor version with 'condor_version' command and verify if READ/WRITE methods include CLAIMTOBE in configuration

Check Version:

condor_version

Verify Fix Applied:

Verify upgraded version with 'condor_version' and confirm CLAIMTOBE is not in READ/WRITE methods or that version is patched

📡 Detection & Monitoring

Log Indicators:

Unusual job submissions from unexpected users
Authentication method mismatches in HTCondor logs
Failed authentication attempts followed by successful CLAIMTOBE usage

Network Indicators:

Unexpected connections to condor_schedd port (usually 9618)
Authentication protocol anomalies

SIEM Query:

source="htcondor" AND (event="job_submit" OR event="job_remove") AND user!=expected_user

📊 Metadata

CVE ID: CVE-2019-18823

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: April 27, 2020

Last Updated: November 21, 2024

🔗 References

https://lists.debian.org/debian-lts-announce/2021/08/msg00000.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EOTJJOSMYKXIYXWSG3H4KN332EDSEB6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5YCZXYS67MLJSHR4OLSWVHBE6PZJSB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMPZ7XPOPA4JGAQAUJ4K7JV653DSCIDK/
https://research.cs.wisc.edu/htcondor/ Product
https://research.cs.wisc.edu/htcondor/new.html Release Notes,Vendor Advisory
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0001.html Mitigation,Vendor Advisory
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0002.html Mitigation,Vendor Advisory
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0003.html Mitigation,Vendor Advisory
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html Vendor Advisory
https://www.debian.org/security/2022/dsa-5144 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/08/msg00000.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EOTJJOSMYKXIYXWSG3H4KN332EDSEB6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5YCZXYS67MLJSHR4OLSWVHBE6PZJSB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMPZ7XPOPA4JGAQAUJ4K7JV653DSCIDK/
https://research.cs.wisc.edu/htcondor/ Product
https://research.cs.wisc.edu/htcondor/new.html Release Notes,Vendor Advisory
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0001.html Mitigation,Vendor Advisory
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0002.html Mitigation,Vendor Advisory
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0003.html Mitigation,Vendor Advisory
https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html Vendor Advisory
https://www.debian.org/security/2022/dsa-5144 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-18823, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Htcondor by Wisc

Htcondor by Wisc

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Remove CLAIMTOBE from authentication methods

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities