ChubaoFS Pentest Report 08.-09.2020

[mervinkid]

Overview
Thanks to @cure53, Dr.-Ing. M. Heiderich, M. Wege, MSc. D. Weißer, MSc. F. Fäßler, MSc. R. Peraglie for helping ChubaoFS complete an important safety assessment in August 2020. This evaluation work prepared a complete pentest report.

This security assessment was initiated by the CNCF and is intended to help all projects under the foundation discover the security issues hidden in the projects earlier, so as to improve the security of these projects.
Thank you CNCF and all those who participated in this evaluation.

This issue is used to publicize and track the security-related issues checked out in this assessment.

Each issue found in this assessment will have an independent issue to describe the specific details of the issue, and through this issue, all security-related issues pointed out in the report will be summarized.

Identified Vulnerabilities

ID	Name	Level	Issue	PR
CFS-01-003 WP1	Insecure SHA1 password-hashing	Low	#12
CFS-01-004 WP1	Linux file permissions ineffective for ACL	High	#13	cubefs/cubefs#906
CFS-01-005 WP1	Missing HMAC leads to CBC padding oracle	Medium	#11
CFS-01-007 WP1	No brute-force protection on - time-unsafe comparisons	Low	#10
CFS-01-008 WP1	Unencrypted raw TCP traffic to Meta- and DataNode	High
CFS-01-009 WP1	Unauthenticated raw TCP traffic to Meta- and DataNode	High
CFS-01-010 WP1	Lack of TCP traffic message replay protection	Medium
CFS-01-011 WP1	Rogue Meta- and DataNodes possible due to lack of ACL	High
CFS-01-015 WP1	API freely discloses all user-secrets	Critical
CFS-01-016 WP2	Default Docker deployment insecure on public hosts	High	#8
CFS-01-022 WP1	HTTP clear-text ObjectNode REST API exposed	High
CFS-01-024 WP2	Bypassing Skip-Owner-Validation header authentication	Medium

Miscellaneous Issues

ID	Name	Level	Issue	PR
CFS-01-001 WP1	Usage of math/rand within crypto-utils and utils	Info	#9
CFS-01-002 WP1	TLS version not enforced for AuthNode HTTP server	Low
CFS-01-006 WP1	Password hashes can be used to authenticate	Low
CFS-01-012 WP1	HTTP parameter pollution in HTTP clients	Medium	#7
CFS-01-013 WP1	Unsalted MD5 authKey-Computation in ObjectNode	Low
CFS-01-014 WP2	Lack of password complexity in MasterNode	Low
CFS-01-017 WP2	Docker deployment stores client.json as world-readable	Medium
CFS-01-018 WP1	Docker deployment logs credentials as world-readable	Medium
CFS-01-019 WP1	Folders can be moved into their own child folders	Low	#6
CFS-01-020 WP1	Missing filename-validation allows folder corruption	Low	#5
CFS-01-021 WP1	Debugging endpoint /debug/pprof exposed	Info	#4
CFS-01-023 WP1	Build system lacks stack canaries, PIE and FORTIFY	Medium	#3
CFS-01-025 WP1	Outdated vulnerable bzip2 dependency for ARM64 build	Info	#1
CFS-01-026 WP2	cfs-server processes running with root privileges	Medium	#2
CFS-01-027 WP1	Potential path traversal in MetaNodes	Low
CFS-01-028 WP1	Insecure ObjectNode policy-checking behavior	Medium

Attachments

• Pentest-Report ChubaoFS Pentest 08.-09.2020