Audit of Operator Fabric
2024-9-4 06:0:0 Author: blog.quarkslab.com(查看原文) 阅读量:2 收藏

Quarkslab was mandated by the Open Source Technology Improvement Fund, Inc. to proceed with the security assessment of the Operator Fabric project. The purpose of this assessment is to deliver an expert opinion of the security level reached by the application at a specific moment.

Introduction

OperatorFabric is a part of the LF Energy coalition. This project is a modular, extensible, industrial-strength platform for use in electricity, water, and other utility operations. It aims to facilitate operational activities by:

  • Consolidating real-time business events in one location to eliminate the need for multiple screens or software.
  • Enhancing interactions between operational control centers.

The purpose of this audit was to help Operator Fabric developers to improve the security of the platform. The recommendations made by Quarkslab are addressed to increase Operator Fabric developers' confidence in its codebase and reduce the final risk level. The full report of our security assessment can be found on the OSTIF website. Following the audit, all important findings have been taken into consideration by the Operator Fabric developers' team.

Scope

The scope of the audit was focused on the operator fabric core component. Quarkslab's auditors developed a formal threat model to define the attack surface and identify potential threats based on the project's features and software architecture. This model was used to list the project's critical functionalities and systematically carry out the security assessment, identifying vulnerabilities using dynamic and static analysis.

Findings

The table below summarizes the findings of the audit. A total of 5 vulnerabilities were found, of which one had high severity, one serious severity, one medium severity, two low severity, as well as one informational issue.

ID Title Severity
V01 - Full Path Disclosure A Full Path Disclosure vulnerability occurs when an attacker leaks the path of a Web application's internal file system. Low
V02 - Technical Information Leakage Technical Information Leakage (also known as information disclosure), occurs when a Website unintentionally reveals sensitive information to its users. Low
V03 - Arbitrary File Upload An Arbitrary File Upload Vulnerability is a security flaw that allows an attacker to upload malicious files onto a server. Medium
V04 - Tar (tar.gz) slip attack Tar Slip attack is a critical vulnerability related to archive extraction. Serious
V05 - Path traversal leading to RCE and Docker escape A Path Traversal vulnerability (also known as Directory Traversal) occurs when an attacker can control part of the path that is then passed to the filesystem APIs without validation. High
I01 - Stored XSS by adding JavaScript code to a bundle template The auditors understood that it is possible to add arbitrary JavaScript to any template, thus exploiting a stored XSS vulnerability. Informational

Conclusion

Based on the risks associated with the identified vulnerabilities, the auditors defined the security level as insufficient. This level is defined as insufficient, as the impact of one of the vulnerabilities (V05 - Path traversal leading to RCE and Docker escape) is significant. Nevertheless, Quarkslab's auditors were unable to uncover any critical vulnerability that could be exploited without authentication, which is a positive point.

Quarkslab has been particularly impressed by the quality of the code implemented by the developers, as the code base is very clean and the project structure easy to audit. Quarkslab would like to highlight that Operator Fabric developers have understood the importance of cleaning up user inputs to guard against classic injection attacks, and that critical vulnerabilities should not be difficult for them to fix.

Thanks to the great communication between Quarkslab auditors and Operator Fabric developers' team, the vulnerabilities were well understood, and a remediation plan was promptly implemented by the developers. Quarkslab had a successful collaboration with Operator Fabric developers' team and OSTIF, working on this project was enriching for both teams.


If you would like to learn more about our security audits and explore how we can help you, get in touch with us!


文章来源: http://blog.quarkslab.com/audit-of-operator-fabric.html
如有侵权请联系:admin#unsafe.sh