OSG-SEC-2018-07-03 BLAHP vulnerability
Dear OSG Security Contacts,
A new vulnerability has been reported in the Batch Local ASCII Helper Protocol (BLAHP) that allows a local user with HTCondor-CE submission privileges to execute malicious code. This vulnerability is exploitable at sites that run HTCondor-CE in front of non-HTCondor batch systems. By exploiting this vulnerability, an attacker can execute arbitrary code and/or perform a denial of service attack on the running host. OSG security considers patching this vulnerability to be IMPORTANT. This vulnerability was reported by the Center for Trustworthy Scientific Cyberinfrastructure at the University of Wisconsin.
Impacted Versions/Environments:
All versions of the BLAHP distributed by the OSG are affected.
Action Recommendations:
This vulnerability has been patched in blahp-1.18.37.bosco-1. Sites running previous version of BLAHP should update to the most current version as soon as possible.
How It Works:
When submitting jobs, a local user can use the arguments attribute of the HTCondor submit description file to include malicious code. The malicious code enclosed is executed when the shell script, called by BLAHP, evaluates the arguments attribute on the CE. Most commands within a HTCondor submit file are input validated by HTCondor itself. But, the arguments line is passed through without change to the output ClassAd.
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team