Compliance Impact

The vulnerability allows unauthenticated access to profiling endpoints, leading to potential denial of service and information disclosure of the server's absolute filesystem path.

Such unauthorized access and information disclosure could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of system integrity and confidentiality of sensitive information.

Specifically, the information disclosure could aid attackers in further exploitation, potentially compromising personal or sensitive data, which is a violation of these regulations' security requirements.

Useful 0 Not Useful 0

Executive Summary

The vulnerability exists in RustFS, a distributed object storage system built in Rust, prior to version 1.0.0-beta.2. The admin router explicitly whitelists the endpoints /profile/cpu and /profile/memory from the authentication layer, allowing any unauthenticated HTTP client to access profiling handlers without credentials.

On supported builds, such as those using glibc, the /profile/cpu handler triggers a fixed 60-second CPU profiling operation for each request. This can cause significant CPU resource consumption.

Additionally, the handler returns the server’s absolute filesystem path in the response body, which leads to information disclosure.

This combination of unauthenticated access, resource exhaustion potential, and information disclosure constitutes the vulnerability, which was fixed in version 1.0.0-beta.2.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to invoke CPU profiling operations that consume significant CPU resources, potentially leading to denial of service (DoS) conditions.

Furthermore, the vulnerability causes information disclosure by revealing the server’s absolute filesystem path in the response, which could aid attackers in further exploitation or reconnaissance.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade RustFS to version 1.0.0-beta.2 or later, where the issue has been fixed.

Until the upgrade is applied, consider restricting access to the /profile/cpu and /profile/memory endpoints to trusted and authenticated users only, to prevent unauthenticated clients from invoking the profiling handlers.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending unauthenticated HTTP requests to the vulnerable endpoints `/profile/cpu` and `/profile/memory` on the RustFS server and observing the responses.

• Send a request to `/profile/cpu` and check if the server starts a CPU profiling operation (which may cause high CPU usage) and returns the server's absolute filesystem path in the response.
• On musl/Docker builds, a 500 Internal Server Error response instead of 401/403 indicates the authentication bypass.
• Verify that the correctly secured endpoint `/rustfs/admin/debug/pprof/profile` returns a 403 Access Denied error.

Example command using curl to test the `/profile/cpu` endpoint:

• curl -i http://<rustfs-server>/profile/cpu

If the response includes the absolute filesystem path or the server consumes high CPU for about 60 seconds, the vulnerability is present.

Useful 0 Not Useful 0