lakeFS S3 Gateway Replay Attack Vulnerability

A vulnerability in lakeFS's S3 gateway prior to version 1.75.0 allows for replay attacks by not validating timestamps in authenticated requests. This oversight enables an attacker to intercept and reuse valid signed requests, such as those created with AWS Signature Version 4, until the associated credentials are rotated, even after the requests are supposed to expire.

Impact

Exploitation of this vulnerability allows for replay attacks on authenticated S3 requests, bypassing expiration controls and potentially leading to unauthorized access or actions.

Reproduction

To reproduce this vulnerability, upload an object to a lakeFS branch and then create a presigned URL using the 'obstore' library. After the URL is generated, wait for a few minutes and use it to access the object. The request should be denied after expiration, but due to this vulnerability, it will still be accepted.

Remediation

Users are advised to upgrade to lakeFS version 1.75.0 or later, where this vulnerability has been fixed. Until an upgrade is possible, it is recommended to use short-lived credentials that are rotated frequently and deactivate old keys, as well as to restrict S3 gateway access to trusted networks or IPs.