lanced00m
commented
6 months ago Hello, I want to participate here. is this a critical score plugin? because there is no CVE.
Closed maoning closed 3 months ago
lanced00m
commented
6 months ago Hello, I want to participate here. is this a critical score plugin? because there is no CVE.
maoning
commented
6 months ago Hi @lanced00m,
Yes, this is a critical score plugin. For Tsunami, we are not entirely limited to CVE scores, as a lot of common misconfigurations like weak credential & exposed UI lead to direct compromises.
You can start working on this and please complete the following tasks:
lanced00m
commented
6 months ago Vulnerability research of types of auth MLflow supports and how to do password checking against them
There is no authentication method other than basic authentication, mlflow has an API for extending authentication to a custom method.
from the source code and documents, I discovered these usernames and passwords: user_a/password_a user_b/password_b admin/password username/password user1/pw1
the default permission for every user is at least read. please let me know what kind of post-authentication check I can do because I can see many options here: https://mlflow.org/docs/latest/auth/index.html#permissions. Because we can have other than admin users with the above weak credentials I guess we should select a common endpoint that is available for most of the user types. however as it is a basic authentication, I guess we can check any random HTTP endpoint.
the basic authentication is added in version 2.5.0, so this plugin will detect the older versions ( which don't have authentication at all) as weak authentication because the basic authentication is just an HTTP header, and sending an additional HTTP header to older mlflow UI versions don't change anything and allow us to retrieve contents without any problem.
maoning
commented
6 months ago @lanced00m let's test for admin access & write access, ideally there's an admin endpoint you can use for testing. If write access is easy to test via an endpoint, please include it as well.
Please make sure that the default credentials are added to https://github.com/google/tsunami-security-scanner-plugins/blob/master/google/detectors/credentials/generic_weak_credential_detector/src/main/resources/detectors/credentials/genericweakcredentialdetector/data/service_default_credentials.textproto
And you can check existing http based testers like https://github.com/google/tsunami-security-scanner-plugins/blob/master/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/jenkins/JenkinsCredentialTester.java as prior examples.
maoning
commented
6 months ago @lanced00m See https://github.com/google/security-testbeds/pull/36#issuecomment-2024310210 for my comment on your testbed submission. Could you provide the config that allows user to overwrite the default username/password as well? This would allow reviewer of your plugin to easily test out both vulnerable and secure version of the MLflow.
Other than this, everything looks good. You can continue with the implementation.
maoning
commented
4 months ago Hi @lanced00m ,
Your PR has been merged. This usually means a reward will be granted. Google will start the internal QC process and the reward amount will be determined based on the quality of the detector report. Please be patient and allow up to a week for the QC process to finish. You'll be notified once the decision is made.
Thanks!
lanced00m
commented
3 months ago could you please provide an update on the current status of this issue? The most recent comment mentions:
Please be patient and allow up to a week for the QC process to finish.
I'm looking forward to hearing about the progress. Thank you for your efforts.
CC: @tooryx @maoning
maoning
commented
3 months ago @lanced00m Thank you for the contribution, the reward has been granted!
Create a new weak credential tester for MLflow auth: https://mlflow.org/docs/latest/auth/index.html#authenticating-to-mlflow