Inadequate Encryption Strength in HTCondor

#VU63556 Inadequate Encryption Strength in HTCondor

Published: 2022-05-24 | Updated: 2022-05-24

Vulnerability identifier: #VU63556

Vulnerability risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-45104

CWE-ID: CWE-326

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
HTCondor
Other software / Other software solutions

Vendor: University of Wisconsin–Madison

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists when HTCondor daemons are configured to use BLOWFISH or 3DES encryption and match password authentication is enabled. A remote attacker can capture network traffic between a condor_schedd and a condor_startd or condor_collector and gain access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

HTCondor: 9.0.0 - 9.0.9, 9.1.1 - 9.5.0

External links
http://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2021-0006/
http://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2022-0002

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in HTCondor