CRITICAL: Multiple High-Severity Vulnerabilities (Unauthenticated APIs, Cleartext Credentials, Insecure Secrets) #91
Description
Summary:
Methods for authenticated access control, secure credential management, and network isolation are missing or misconfigured across multiple components of the APIS dcoes system. A comprehensive security audit has engaged 7 distinct vulnerabilities, ranging from Critical (Unauthenticated Control APIs) and High (Cleartext Transmission of Credentials, Insecure Secrets) to Medium (Weak Crypto, Hardcoded Credentials).
These vulnerabilities allow unauthorized network attackers to manipulate energy deals, intercept administrative passwords, compromise the integrity of the cluster, and access the underlying database.
Vulnerability Details:
-
Unauthenticated Control APIs (Critical) -
Component: apis-web
Location:
DealGeneration.java
(POST /deal),
LogConfiguration.java
(POST /log)
Impact: Critical. Endpoints accept POST requests without any authentication. Attackers can inject fake energy deals or flood the system.
Evidence: Confirmed via static analysis of api_handler classes. -
Cleartext Transmission of Credentials (High) -
Component: apis-ccc
Location:
exe/config.json, HttpPostPolicyAcquisitionImpl.java
Impact: High. The default configuration disables SSL ("ssl": false) and the code appends passwords to the HTTP request body in cleartext.
Evidence: config.json sets port to 8000 (HTTP) and code constructs password= payloads directly. -
Insecure Secrets Handling (High) -
Component: apis-common
Location: ApisLauncher.java
Impact: High. The application decrypts sensitive configuration files and writes them to disk in plaintext during startup, exposing them to local file inclusion (LFI) attacks.
Evidence: Dynamic verification confirmed BadPaddingException during decryption attempts on disk. -
Insecure Network Bindings (High) -
Component: apis-emulator, mongodb, api-server
Impact: High. Services bind to 0.0.0.0 (all interfaces) by default, exposing internal debug and database ports to the entire network.
Evidence: netstat confirmed *.4390 (emulator) and start.sh uses --bind_ip_all (mongo). -
Weak Cryptography (Medium) -
Component: apis-ccc
Location: HttpPostPolicyAcquisitionImpl.java
Impact: Medium. The system explicitly relies on MD5 (isMD5Password=true), a cryptographically broken hashing algorithm.
Evidence: Code review found hardcoded boolean verification for MD5. -
Hardcoded Credentials (Medium) -
Component: apis-web, apis-main
Location: cluster.xml, config.json
Impact: Medium. Default passwords (oss_cluster-pass, e001) are hardcoded in configuration files.
Evidence: Found during static file analysis. -
Logic Flaw: Self-Dealing (Low/Medium) -
Component: apis-main -> DealManagement
Impact: Low/Medium. A unit can request a deal with itself. While InterlockUtil serendipitously prevents this due to locking, the business logic fails to validate requestUnitId != acceptUnitId.
Evidence: Code review of startDealCreationService_
Recommended Remediation:
- Enforce Authentication: Implement a security filter for all apis-web endpoints.
- Enable SSL/TLS: Switch apis-ccc to use HTTPS by default and remove ssl: false options.
- Secure Storage: Modify ApisLauncher to keep decrypted secrets in memory only.
- Localhost Binding: Restrict all services (mongo, emulator) to 127.0.0.1.
- Upgrade Crypto: Deprecate MD5 in favor of Argon2 or PBKDF2.
- Sanitize Secrets: Remove hardcoded credentials from the repo.