Executive Summary

RustFS is a distributed object storage system written in Rust. Before version 1.0.0-beta.2, the system's internode RPC layer authenticated requests using an HMAC-SHA256 signature based on a shared secret. However, the function responsible for generating this shared secret would fall back to a default, publicly known secret key "rustfsadmin" if neither the environment variable RUSTFS_RPC_SECRET nor the global S3 secret key was configured. This fallback to a hardcoded default secret key creates a vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to impersonate peer nodes by exploiting a hard-coded default credential, enabling full cluster takeover including disk manipulation, data replication, and erasure group changes. This bypasses S3 access controls entirely, potentially leading to unauthorized access, data breaches, and data integrity violations.

Such unauthorized access and control over data storage systems can result in non-compliance with common standards and regulations like GDPR and HIPAA, which mandate strict controls over data confidentiality, integrity, and access management.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the RustFS internode RPC service is running a vulnerable version (up to 1.0.0-beta.1) and if it is using the default hard-coded RPC secret "rustfsadmin" instead of a configured secret.

Since the fallback to the default secret occurs silently without warnings, detection involves verifying the configuration and network activity related to the RPC port.

• Check the RustFS version to confirm if it is 1.0.0-beta.1 or earlier.
• Inspect environment variables and configuration files for the presence of RUSTFS_RPC_SECRET or global S3 secret key settings.
• Monitor network traffic on the RPC port for unauthorized or suspicious HMAC-SHA256 signed requests using the default secret.

Example commands that may help in detection:

• Check RustFS version: `rustfs --version` or check the running process version.
• Check environment variable: `echo $RUSTFS_RPC_SECRET`
• Search configuration files for secret keys: `grep -r 'secret' /etc/rustfs/` or relevant config paths.
• Monitor RPC port (replace <port> with actual RPC port): `sudo tcpdump -i any port <port> -A` to inspect traffic for suspicious authentication attempts.

Useful 0 Not Useful 0

Impact Analysis

Because the system may use a publicly known default secret key for authentication, an attacker could potentially forge valid authentication signatures for internode RPC requests. This could allow unauthorized access to the distributed storage system, leading to full compromise of confidentiality, integrity, and availability of the data and services.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade RustFS to version 1.0.0-beta.2 or later, where the issue is fixed.

Ensure that the RUSTFS_RPC_SECRET environment variable or the global S3 secret key is properly configured to avoid fallback to the default embedded secret.

Useful 0 Not Useful 0