HTCONDOR-2022-0001


Summary:

For jobs that request HTCondor to transfer files to or from S3 cloud storage, pre-signed URLs that can be used to access private files are written to daemon logs and the job ad.

Component Vulnerable Versions Platform Availability Fix Available
Schedd, Shadow, Starter daemons 8.9.4 and above All platforms Not known to be publicly exploited 9.0.10, 9.6.0
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified Login or READ access to Schedd Submit or Execute host Low Medium
Fixed Date Credit
2022-03-15 Brian Bockelman
Access Required: Login or READ access to Schedd

An attacker able to login to a Schedd or Startd machine can obtain pre-signed URLs for all jobs that passed through that machine. An attacker with READ access to the SchedD can obtain pre-signed URLs for any jobs for which S3 transfers failed.

Effort Required: Low

An attacker can obtain pre-signed URLs for all jobs by searching the daemon logs of the condor_shadow or condor_starter. They can obtain pre-signed URLs for jobs with an S3 transfer error using the command line tools. These URLs can be trivially used to access the associated files in S3.

Impact/Consequences Required: Medium

The attacker can access the S3 file associated with each pre-signed URL. This can include both reading and writing of the data.

Workaround:

Upgrading all HTCondor daemons to version 9.0.10 or 9.6.0 fully addresses this vulnerability.

If upgrading is not possible, you can work around this issue by disabling the generation of pre-signed URLs by HTCondor. To do so, set the following in your configuration files:

SIGN_S3_URLS = False

For jobs that use file transfer to/from S3 for private data, you must then devise another access path. This can include providing a file transfer plugin that supports the 's3' or 'gs' scheme.

Full Details:

Embargoed until future notice.