RustFS Hard-Coded Credentials Scanner

RustFS is a high-performance distributed file system used by organizations for managing large-scale data. It provides a scalable solution for storage and retrieval of data across distributed systems. RustFS is utilized in environments requiring rapid data access and high availability, such as data centers and cloud storage solutions. The software is valued for its fault tolerance and ability to efficiently manage redundant data locations. Its usage spans both commercial and open-source communities, often deployed in complex data-sharing infrastructures. RustFS supports multiple data access protocols, enhancing its flexibility and integration in diverse IT environments.

The Hard-Coded Credentials vulnerability is a critical security flaw where fixed credentials are embedded directly within the software. This issue arises in RustFS versions before 1.0.0-alpha.77, where a hardcoded gRPC authentication token "rustfs rpc" was used. Such vulnerabilities allow unauthorized users to gain access to restricted areas of the software, potentially leading to data leaks or system compromise. Hard-Coded Credentials are often challenging to mitigate as the credentials require a software update for removal. Exploitation of this vulnerability allows attackers to perform actions normally reserved for authenticated users, exacerbating the potential damage.

This vulnerability in RustFS is located within the gRPC API authentication mechanism, which utilizes a fixed token for access control. The vulnerable token "rustfs rpc" is embedded within the source code, which cannot be modified without recompiling the software. Attackers can exploit this by intercepting network traffic or reverse-engineering the binary to extract the token, then using it to authenticate against the gRPC API. The endpoint targeted by this vulnerability is '/node_service.NodeService/ServerInfo', and the token is included in the 'authorization' header within gRPC messages. Communication over this channel can lead to unauthorized administrative actions and potential data loss.

When exploited, this vulnerability permits an attacker to gain full administrative access to RustFS installations. This includes the ability to read, write, and delete any stored data, leading to possible data corruption or loss. Such unauthorized access circumvents normal authentication and authorization procedures, posing significant security risks to organizations. Exploited vulnerabilities of this nature might cause operational disruptions, financial damage, and compliance breaches. Additionally, persistent attackers could use this access to implant harmful backdoors or further compromise network integrity.

REFERENCES

• https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj
• https://nvd.nist.gov/vuln/detail/CVE-2025-68926