Crossplane security audit 2023 findings and report

Adam Korczynski,

Security Engineering & Security Automation

We are happy to announce the results of our security audit of Crossplane which we carried out in April and May 2023 that included the following Crossplane subprojects:

1. crossplane
2. crossplane-runtime

Find the full report here: Audit report

The engagement was a holistic security audit covering multiple security disciplines:

1. Threat modelling
2. Manual code auditing
3. Fuzzing review and optimisation
4. SLSA compliance review

Threat modeling

The audit is particularly interesting for folks with an interest in supply chain security. The threat modelling goal identified the importance of Crossplanes supply chain. Crossplane is essentially a package manager for cloud-native systems with Crossplane Packages being the artefacts that users consume. Crossplane Packages are merely opinionated OCI images. Typically users consume images from registries which we consider untrusted. The implications of that for Crossplanes threat model is that Crossplane should be resilient towards any data coming from the registry. During the threat modelling goal we looked at all the potential weak points where a malicious Crossplane Package could compromise Crossplanes security. For example, Crossplane does some processing over the images it fetches from the registry; These are areas that threat actors will seek to attack a Crossplane deployment.

Manual code auditing

The audit resulted in several interesting findings. We found a total of 16 security issues of which 2 were assigned CVEs.

1. CVE-2023-37900: Denial of service from large Package image
2. CVE-2023-38495: Possible image tampering from missing image validation for Packages

All vulnerabilities were exposed through an attack surface available to the registry.

Fuzzing

As part of goal #3 - Fuzzing review and optimisation - we wrote 4 new fuzzers for Crossplane fuzzing suite and integrated them in such a manner that they run continuously as part of Crossplane's OSS-Fuzz integration. Crossplane recently completed a separate fuzzing security audit, and the Crossplane team have since set up the fuzzing suite in such a manner that all fuzzers in the Crossplane or Crossplane-runtime repositories are included in OSS-Fuzz build cycles.

SLSA

SLSA is a framework for identifying supply-chain risks from using software artifacts. The framework emphasises the importance of distributing provenance attestations alongside artifacts, so that consumers can verify them before consuming. SLSA aims to defend against a series of known supply chain threats, and as part of the audit we assessed how Crossplane performs against the SLSA framework. The high-level observation is that Crossplane performs well but is lacking the provenance statement which we recommend attaching to releases.