For jobs that request HTCondor to transfer files to or from S3 cloud storage, pre-signed URLs that can be used to access private files are written to daemon logs and the job ad.
Component | Vulnerable Versions | Platform | Availability | Fix Available |
---|---|---|---|---|
Schedd, Shadow, Starter daemons | 8.9.4 and above | All platforms | Not known to be publicly exploited | 9.0.10, 9.6.0 |
Status | Access Required | Host Type Required | Effort Required | Impact/Consequences |
Verified | Login or READ access to Schedd | Submit or Execute host | Low | Medium |
Fixed Date | Credit | |||
2022-03-15 | Brian Bockelman |
An attacker able to login to a Schedd or Startd machine can obtain pre-signed URLs for all jobs that passed through that machine. An attacker with READ access to the SchedD can obtain pre-signed URLs for any jobs for which S3 transfers failed.
Effort Required: LowAn attacker can obtain pre-signed URLs for all jobs by searching the daemon logs of the condor_shadow or condor_starter. They can obtain pre-signed URLs for jobs with an S3 transfer error using the command line tools. These URLs can be trivially used to access the associated files in S3.
Impact/Consequences Required: MediumThe attacker can access the S3 file associated with each pre-signed URL. This can include both reading and writing of the data.
Workaround:Upgrading all HTCondor daemons to version 9.0.10 or 9.6.0 fully addresses this vulnerability.
If upgrading is not possible, you can work around this issue by disabling the generation of pre-signed URLs by HTCondor. To do so, set the following in your configuration files:
SIGN_S3_URLS = False
For jobs that use file transfer to/from S3 for private data, you must then devise another access path. This can include providing a file transfer plugin that supports the 's3' or 'gs' scheme.
Full Details:Embargoed until future notice.