Skip to content

CRITICAL: Multiple Security Vulnerabilities (Hardcoded Credentials, Insecure Bindings, No Auth) #90

Description

@krrish175-byte

Description

Severity: Critical Affected Components: apis-main, apis-web, apis-common, mongodb

Summary

A security audit of the codebase has revealed multiple critical vulnerabilities that leave the system completely exposed to unauthorized access and control. These issues effectively allow any attacker on the network to take full control of the energy management system, access the database, and manipulate battery/power exchanges.

Critical Vulnerabilities

  1. Hardcoded Credentials
    Multiple configuration files contain hardcoded sensitive credentials.

Locations:
apis-web/exe/cluster.xml
: contains oss_cluster-pass and thepass.
apis-web/exe/cluster-mac.xml
: contains my-secret-key.
apis-main/exe/config.json
: contains password e001.

Impact: Attackers can join the Hazelcast cluster or authenticate as admin if they have network access.

  1. Insecure Network Bindings
    The mongodb and api-server are configured to listen on all network interfaces (0.0.0.0) by default.

Locations:
mongodb/start.sh
: uses --bind_ip_all.
apis-web/src/.../ApiServer.java: binds to default Vert.x host (0.0.0.0).

Impact: The database and API endpoints are exposed to the entire local network (or internet, if not firewalled), bypassing any local-only assumptions.

  1. Missing Authentication on Control APIs
    Critical control endpoints in apis-web lack any form of authentication or authorization.

Locations:
DealGeneration.java
(POST /deal): Allows unauthenticated injection of energy deals.
LogConfiguration.java
(POST /log): Allows unauthenticated modification of log levels.

Impact: Attackers can freely manipulate energy sharing logic and disrupt system observability.

  1. Insecure Secrets Handling
    The ApisLauncher decrypts secret files to the filesystem at runtime and only deletes them on shutdown.

Location: apis-common/.../ApisLauncher.java

Impact: Unencrypted secrets persist on disk during runtime (and after crashes), making them vulnerable to local file inclusion or access attacks.

Recommendations

  1. Immediate Mitigation:

    • Change mongodb and ApiServer to bind to 127.0.0.1 (localhost) only.
    • Remove --bind_ip_all from start scripts.
  2. Remediation:

    • Externalize Secrets: Remove all hardcoded passwords from the codebase. Use environment variables or a secure configuration management system.
    • Implement Authentication: Add an authentication layer (e.g., JWT, Basic Auth) to all apis-web endpoints.
    • Secure Secrets: Modify ApisLauncher to keep decrypted secrets in memory only, never writing them to disk.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions