Quarkslab was mandated by the Open Source Technology Improvement Fund, Inc. to proceed with the security assessment of the Operator Fabric project. The purpose of this assessment is to deliver an expert opinion of the security level reached by the application at a specific moment.
Introduction
OperatorFabric is a part of the LF Energy coalition. This project is a modular, extensible, industrial-strength platform for use in electricity, water, and other utility operations. It aims to facilitate operational activities by:
- Consolidating real-time business events in one location to eliminate the need for multiple screens or software.
- Enhancing interactions between operational control centers.
The purpose of this audit was to help Operator Fabric developers to improve the security of the platform. The recommendations made by Quarkslab are addressed to increase Operator Fabric developers' confidence in its codebase and reduce the final risk level. The full report of our security assessment can be found on the OSTIF website. Following the audit, all important findings have been taken into consideration by the Operator Fabric developers' team.
Scope
The scope of the audit was focused on the operator fabric core component. Quarkslab's auditors developed a formal threat model to define the attack surface and identify potential threats based on the project's features and software architecture. This model was used to list the project's critical functionalities and systematically carry out the security assessment, identifying vulnerabilities using dynamic and static analysis.
Findings
The table below summarizes the findings of the audit. A total of 5 vulnerabilities were found, of which one had high severity, one serious severity, one medium severity, two low severity, as well as one informational issue.
| ID | Title | Description |
|---|---|---|
| HIGH-1 | V05 - Path traversal leading to RCE and Docker escape | A Path Traversal vulnerability (also known as Directory Traversal) occurs when an attacker can control part of the path that is then passed to the filesystem APIs without validation. |
| SER-1 | V04 - Tar (tar.gz) slip attack | Tar Slip attack is a critical vulnerability related to archive extraction. |
| MED-1 | V03 - Arbitrary File Upload | An Arbitrary File Upload Vulnerability is a security flaw that allows an attacker to upload malicious files onto a server. |
| LOW-1 | V01 - Full Path Disclosure | A Full Path Disclosure vulnerability occurs when an attacker leaks the path of a Web application's internal file system. |
| LOW-2 | V02 - Technical Information Leakage | Technical Information Leakage (also known as information disclosure), occurs when a Website unintentionally reveals sensitive information to its users. |
| INFO-1 | I01 - Stored XSS by adding JavaScript code to a bundle template | The auditors understood that it is possible to add arbitrary JavaScript to any template, thus exploiting a stored XSS vulnerability. |
Conclusion
Based on the risks associated with the identified vulnerabilities, the auditors defined the security level as insufficient. This level is defined as insufficient, as the impact of one of the vulnerabilities (V05 - Path traversal leading to RCE and Docker escape) is significant. Nevertheless, Quarkslab's auditors were unable to uncover any critical vulnerability that could be exploited without authentication, which is a positive point.
Quarkslab has been particularly impressed by the quality of the code implemented by the developers, as the code base is very clean and the project structure easy to audit. Quarkslab would like to highlight that Operator Fabric developers have understood the importance of cleaning up user inputs to guard against classic injection attacks, and that critical vulnerabilities should not be difficult for them to fix.
Thanks to the great communication between Quarkslab auditors and Operator Fabric developers' team, the vulnerabilities were well understood, and a remediation plan was promptly implemented by the developers. Quarkslab had a successful collaboration with Operator Fabric developers' team and OSTIF, working on this project was enriching for both teams.