Headline
GHSA-qp7j-x725-g67f: HydrAIDE Authentication Bypass Vulnerability
Summary
There is no authentication of any kind.
Details
TLS is implemented, the tunnel between the client and server is secure, however once data is on the server, it’s free to be read by any adversaries.
On the client side : https://github.com/hydraide/hydraide/blob/main/sdk/go/hydraidego/client/client.go#L221 It should be using a TLS Config with RootCAs and Certificates, currently RootCAs only (under NewClientTLSFromFile)
And on the server side, there should be ClientCAs and ClientAuth filled.
PoC
To bypass as is, the simplest way is to take the client and modify the code as such :
Modified from https://github.com/hydraide/hydraide/blob/main/sdk/go/hydraidego/client/client.go#L209
// hostOnly := strings.Split(server.Host, ":")[0]
// creds, certErr := credentials.NewClientTLSFromFile(server.CertFilePath, hostOnly)
// if certErr != nil {
// slog.Error("error while loading TLS credentials: ", "error", certErr, "server", server.Host, "fromIsland", server.FromIsland, "toIsland", server.ToIsland)
// errorMessages = append(errorMessages, certErr)
// }
var opts []grpc.DialOption
tlsConfig := &tls.Config{
InsecureSkipVerify: true,
}
creds := credentials.NewTLS(tlsConfig)
opts = append(opts, grpc.WithTransportCredentials(creds))
Impact
It impacts everyone who think there is any kind of authentication.
Resolution
This vulnerability has been fully fixed in server/v2.2.1 together with hydraidectl/v0.2.1.
All users are strongly advised to upgrade:
- Update to hydraidectl v0.2.1
- Re-initialize server instances with hydraidectl init into a new folder. This generates the required certificate files, downloads the latest binaries, and sets up the necessary environment variables.
For migration help, join the community Discord: https://discord.gg/xE2YSkzFRm or open a GitHub Discussion. If anything does not work, please report it.
Summary
There is no authentication of any kind.
Details
TLS is implemented, the tunnel between the client and server is secure, however once data is on the server, it’s free to be read by any adversaries.
On the client side : https://github.com/hydraide/hydraide/blob/main/sdk/go/hydraidego/client/client.go#L221
It should be using a TLS Config with RootCAs and Certificates, currently RootCAs only (under NewClientTLSFromFile)
And on the server side, there should be ClientCAs and ClientAuth filled.
PoC
To bypass as is, the simplest way is to take the client and modify the code as such :
Modified from https://github.com/hydraide/hydraide/blob/main/sdk/go/hydraidego/client/client.go#L209
// hostOnly := strings.Split(server.Host, ":")\[0\]
// creds, certErr := credentials.NewClientTLSFromFile(server.CertFilePath, hostOnly)
// if certErr != nil {
// slog.Error("error while loading TLS credentials: ", "error", certErr, "server", server.Host, "fromIsland", server.FromIsland, "toIsland", server.ToIsland)
// errorMessages = append(errorMessages, certErr)
// }
var opts \[\]grpc.DialOption
tlsConfig := &tls.Config{
InsecureSkipVerify: true,
}
creds := credentials.NewTLS(tlsConfig)
opts \= append(opts, grpc.WithTransportCredentials(creds))
Impact
It impacts everyone who think there is any kind of authentication.
Resolution
This vulnerability has been fully fixed in server/v2.2.1 together with hydraidectl/v0.2.1.
All users are strongly advised to upgrade:
- Update to hydraidectl v0.2.1
- Re-initialize server instances with hydraidectl init into a new folder. This generates the required certificate files, downloads the latest binaries, and sets up the necessary environment variables.
For migration help, join the community Discord: https://discord.gg/xE2YSkzFRm or open a GitHub Discussion.
If anything does not work, please report it.
References
- GHSA-qp7j-x725-g67f
- hydraide/hydraide@b252554#diff-63efbc8179fff403eb5cc642407b33c0fb21aea2c84baaf5e5223f76f5d75f55