Vitess security security audit 2023 findings and report
5th June, 2023In March and April Ada Logics carried out a security audit for Vitess. The audit was a holistic security audit with a focus on Vitess’s new component, VTAdmin. Vitess had previously had both a security- and a fuzzing audit done, however VTAdmin was added after Vitess’s last audits and had therefore not previously been in scope.
The current audit had 5 high-level goals:
- Formalize a threat model of VTAdmin.
- Perform a manual audit of the VTAdmin code following the threat model.
- Align Vitess’s fuzzing suite with the threats identified by the maintainers.
- Perform a manual audit of the remaining Vitess code base.
- Conduct a Supply Chain Levels for Software Artifacts (SLSA) review of Vitess.
Threat Modeling
The auditors assessed Vitess’s design to consider its attack vectors and threat actors. VTAdmin exposes a series of endpoints that handle both authorization and authentication before requests are forwarded to Vitess’s internals. The threat model formalizes that and is available in the final report to encourage independent researchers, users and maintainers to do their own security work on Vitess.
Notable Findings
The most notable findings from the audit were 2 vulnerabilities that the auditors found during the manual auditing part. Both vulnerabilities were of Moderate severity and were assigned the following CVE ID’s.
- Users that can create keyspaces can deny access to already existing keyspaces: CVE-2023-29194
- VTAdmin users that can create shards can deny access to other functions: CVE-2023-29195
The root cause of these two vulnerabilities was similar, and they both allowed a user to prevent other users from carrying out actions against certain resources. From a high level, they looked like this:
- A malicious user would create either a keyspace or a shard with a malicious name.
- Vitess would create the keyspace or shard.
- Benign users would subsequently be denied from carrying out certain actions in the Vitess cluster.
Ada Logics reported both vulnerabilities to the Vitess security team who quickly fixed both.
Fuzzing
As part of the audit’s fuzzing goal, Ada Logics wrote two fuzzers to test these two vulnerabilities and added them to Vitess’s OSS-Fuzz integration. Ada Logics added the two fuzzers to Vitess’s project directory in cncf-fuzzing: https://github.com/cncf/cncf-fuzzing/pull/341. The fuzzers found two further edge cases that could trigger the vulnerabilities but had not been fixed.
SLSA
SLSA (Supply Chain Level Security Attestation) is a security framework for assessing the supply chain security posture of software projects. At the time of the audit, Ada Logics used SLSA v0.1 to assess Vitess’s compliance. SLSA v0.1 assessed a project against a list of criteria such as its build and release processes, its access controls as well as provenance. Vitess has worked on improving their SLSA standards, but SLSA has since then released v1.0 which takes a different approach. It is highly encouraging that the Vitess team works continuously to follow the SLSA framework.
References