For jobs that request HTCondor to transfer files to or from S3 cloud storage, pre-signed URLs that can be used to access private files are written to daemon logs and the job ad.
|Schedd, Shadow, Starter daemons
|8.9.4 and above
|Not known to be publicly exploited
|Host Type Required
|Login or READ access to Schedd
|Submit or Execute host
An attacker able to login to a Schedd or Startd machine can obtain pre-signed URLs for all jobs that passed through that machine. An attacker with READ access to the SchedD can obtain pre-signed URLs for any jobs for which S3 transfers failed.Effort Required: Low
An attacker can obtain pre-signed URLs for all jobs by searching the daemon logs of the condor_shadow or condor_starter. They can obtain pre-signed URLs for jobs with an S3 transfer error using the command line tools. These URLs can be trivially used to access the associated files in S3.Impact/Consequences Required: Medium
The attacker can access the S3 file associated with each pre-signed URL. This can include both reading and writing of the data.Workaround:
Upgrading all HTCondor daemons to version 9.0.10 or 9.6.0 fully addresses this vulnerability.
If upgrading is not possible, you can work around this issue by disabling the generation of pre-signed URLs by HTCondor. To do so, set the following in your configuration files:
SIGN_S3_URLS = False
For jobs that use file transfer to/from S3 for private data, you must then devise another access path. This can include providing a file transfer plugin that supports the 's3' or 'gs' scheme.Full Details:
Embargoed until future notice.