For jobs that request HTCondor to transfer files to or from S3 cloud storage, pre-signed URLs that can be used to access private files are written to daemon logs and the job ad.
|Component||Vulnerable Versions||Platform||Availability||Fix Available|
|Schedd, Shadow, Starter daemons||8.9.4 and above||All platforms||Not known to be publicly exploited||9.0.10, 9.6.0|
|Status||Access Required||Host Type Required||Effort Required||Impact/Consequences|
|Verified||Login or READ access to Schedd||Submit or Execute host||Low||Medium|
An attacker able to login to a Schedd or Startd machine can obtain pre-signed URLs for all jobs that passed through that machine. An attacker with READ access to the SchedD can obtain pre-signed URLs for any jobs for which S3 transfers failed.Effort Required: Low
An attacker can obtain pre-signed URLs for all jobs by searching the daemon logs of the condor_shadow or condor_starter. They can obtain pre-signed URLs for jobs with an S3 transfer error using the command line tools. These URLs can be trivially used to access the associated files in S3.Impact/Consequences Required: Medium
The attacker can access the S3 file associated with each pre-signed URL. This can include both reading and writing of the data.Workaround:
Upgrading all HTCondor daemons to version 9.0.10 or 9.6.0 fully addresses this vulnerability.
If upgrading is not possible, you can work around this issue by disabling the generation of pre-signed URLs by HTCondor. To do so, set the following in your configuration files:
SIGN_S3_URLS = False
For jobs that use file transfer to/from S3 for private data, you must then devise another access path. This can include providing a file transfer plugin that supports the 's3' or 'gs' scheme.Full Details:
Embargoed until future notice.