[PR #90] [Security] Fix CRITICAL vulnerability: V-001 #136

New issue

Open

opened 2026-03-13 19:59:17 +03:00 by kerem · 0 comments

kerem commented

2026-03-13 19:59:17 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/agrinman/tunnelto/pull/90
Author: @orbisai0security
Created: 12/28/2025
Status: 🔄 Open

Base: master ← Head: fix-v-001-tunnelto-server-src-config.rs

📝 Commits (1)

f9ea2ff fix: resolve critical vulnerability V-001

📊 Changes

3 files changed (+33 additions, -1 deletions)

View changed files

📝 tunnelto_server/src/config.rs (+25 -1)
📝 tunnelto_server/src/main.rs (+5 -0)
📝 tunnelto_server/src/network/server.rs (+3 -0)

📄 Description

Security Fix

This PR addresses a CRITICAL severity vulnerability detected by our security scanner.

Security Impact Assessment

Aspect	Rating	Rationale
Impact	High	In the Tunnelto repository, which provides a tunneling service for exposing local servers, exposure of API and secret keys could allow attackers to bypass authentication, impersonate legitimate clients, or intercept/manipulate tunneled traffic, leading to unauthorized access to sensitive local services or data breaches of exposed applications.
Likelihood	Medium	Exploitation requires an attacker to gain access to the server's environment variables, configuration files, or process memory, which is feasible in misconfigured or compromised deployments but not trivial given Tunnelto's typical use for personal or development tunneling where servers may not be highly targeted.
Ease of Fix	Hard	Remediation would require implementing encrypted storage for configuration files or integrating a secure key management system, necessitating architectural changes to the config.rs module, potential dependency updates for encryption libraries, and extensive testing to avoid breaking authentication and tunneling functionality.

Evidence: Proof-of-Concept Exploitation Demo

⚠️ For Educational/Security Awareness Only

This demonstration shows how the vulnerability could be exploited to help you understand its severity and prioritize remediation.

How This Vulnerability Can Be Exploited

The vulnerability in tunnelto_server/src/config.rs allows sensitive API keys and secret keys to be loaded from environment variables or configuration files and stored in memory as plain text strings without any encryption or secure handling. An attacker who gains initial access to the server (e.g., via SSH compromise, container breakout, or another vulnerability) can exploit this by dumping the process memory to extract these keys, enabling unauthorized use of the tunneling service to create tunnels, intercept traffic, or impersonate legitimate clients.

# Step 1: Assume attacker has gained shell access to the server running tunnelto_server
# (This could be via SSH, a web vulnerability, or container compromise - prerequisite access is needed)

# Step 2: Identify the PID of the tunnelto_server process
ps aux | grep tunnelto_server
# Example output: root     12345  0.1  0.5  45678  23456 ?  Ssl  10:00   0:05 /usr/bin/tunnelto_server

# Step 3: Use gcore (part of gdb) to dump the process memory to a file
# This requires gdb to be installed on the system
gcore 12345  # Replace 12345 with actual PID from step 2
# This creates a core dump file named 'core.12345'

# Step 4: Extract readable strings from the core dump and search for the keys
# The keys are stored as plain strings in memory, so strings will reveal them
strings core.12345 | grep -E "(auth|secret|key)" | head -20
# Look for patterns like "authentication_key_value_here" or "secret_key_value_here"
# Example output might include: authentication_key=abcd1234efgh5678, secret_key=ijkl9012mnop3456

# Step 5: Use extracted keys to exploit the service
# With the keys, attacker can now interact with the tunnelto API or client
# For example, if the auth key is used for client authentication, set it as env var and run client
export TUNNELTO_AUTH_KEY=abcd1234efgh5678  # Replace with extracted key
export TUNNELTO_SECRET_KEY=ijkl9012mnop3456  # Replace with extracted key
tunnelto --port 8080  # Creates an unauthorized tunnel, potentially exposing attacker's local service
# Or, if the server has an API endpoint, use the keys to make authenticated requests to control tunnels
curl -H "Authorization: Bearer abcd1234efgh5678" https://tunnelto-server.example.com/api/tunnels

If environment variables are directly accessible (e.g., in a container without proper isolation), a simpler exploit could involve reading them directly:

# Direct env var reading if shell access allows
echo $TUNNELTO_AUTH_KEY  # Assuming this is the env var name based on code structure
echo $TUNNELTO_SECRET_KEY
# Output: abcd1234efgh5678, ijkl9012mnop3456

Exploitation Impact Assessment

Impact Category	Severity	Description
Data Exposure	High	The authentication and secret keys are directly exposed, allowing attackers to access and control all active tunnels managed by the server. This could lead to interception of user traffic through tunnels (e.g., exposing private APIs, databases, or web apps behind tunnels), potentially leaking sensitive user data like credentials, personal information, or business secrets if tunnels are used for internal services.
System Compromise	Medium	With the keys, attackers gain effective control over the tunneling service but not direct system access. They could execute arbitrary tunnel creations or modifications, but escalation to full host compromise would require chaining with other vulnerabilities (e.g., if tunnels expose vulnerable services). No direct code execution on the server is enabled by this vuln alone.
Operational Impact	High	Attackers could flood the server with unauthorized tunnels, exhausting resources (CPU, bandwidth, ports) and causing denial-of-service for legitimate users. The server might become unresponsive, requiring restarts or scaling adjustments, with potential downtime lasting hours to days depending on monitoring and auto-scaling setup.
Compliance Risk	High	Violates security best practices like OWASP Top 10 A05:2021 (Security Misconfiguration) and could breach GDPR if tunnels expose EU user data without proper access controls. For regulated industries (e.g., if used in fintech or healthcare deployments), it risks PCI-DSS or HIPAA non-compliance by enabling unauthorized data access, potentially triggering audits, fines, or legal action.

Vulnerability Details

Rule ID: V-001
File: tunnelto_server/src/config.rs
Description: API keys and secret keys are loaded from environment variables or configuration files without encryption in tunnelto_server/src/config.rs. The authentication_key() method at line 33 and secret_key() method at line 66 retrieve sensitive credentials from plain environment variables or unencrypted configuration fields. These keys are stored in memory as plain strings without any encryption or secure storage mechanism.

Changes Made

This automated fix addresses the vulnerability by applying security best practices.

Files Modified

tunnelto_server/src/config.rs
tunnelto_server/src/main.rs
tunnelto_server/src/network/server.rs

Verification

This fix has been automatically verified through:

✅ Build verification
✅ Scanner re-scan
✅ LLM code review

🤖 This PR was automatically generated.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/agrinman/tunnelto/pull/90 **Author:** [@orbisai0security](https://github.com/orbisai0security) **Created:** 12/28/2025 **Status:** 🔄 Open **Base:** `master` ← **Head:** `fix-v-001-tunnelto-server-src-config.rs` --- ### 📝 Commits (1) - [`f9ea2ff`](https://github.com/agrinman/tunnelto/commit/f9ea2ffe78f0a0a7f489df88ceb001553603d3d0) fix: resolve critical vulnerability V-001 ### 📊 Changes **3 files changed** (+33 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `tunnelto_server/src/config.rs` (+25 -1) 📝 `tunnelto_server/src/main.rs` (+5 -0) 📝 `tunnelto_server/src/network/server.rs` (+3 -0) </details> ### 📄 Description ## Security Fix This PR addresses a **CRITICAL** severity vulnerability detected by our security scanner. ### Security Impact Assessment | Aspect | Rating | Rationale | |--------|--------|-----------| | Impact | High | In the Tunnelto repository, which provides a tunneling service for exposing local servers, exposure of API and secret keys could allow attackers to bypass authentication, impersonate legitimate clients, or intercept/manipulate tunneled traffic, leading to unauthorized access to sensitive local services or data breaches of exposed applications. | | Likelihood | Medium | Exploitation requires an attacker to gain access to the server's environment variables, configuration files, or process memory, which is feasible in misconfigured or compromised deployments but not trivial given Tunnelto's typical use for personal or development tunneling where servers may not be highly targeted. | | Ease of Fix | Hard | Remediation would require implementing encrypted storage for configuration files or integrating a secure key management system, necessitating architectural changes to the config.rs module, potential dependency updates for encryption libraries, and extensive testing to avoid breaking authentication and tunneling functionality. | ### Evidence: Proof-of-Concept Exploitation Demo **⚠️ For Educational/Security Awareness Only** This demonstration shows how the vulnerability could be exploited to help you understand its severity and prioritize remediation. #### How This Vulnerability Can Be Exploited The vulnerability in tunnelto_server/src/config.rs allows sensitive API keys and secret keys to be loaded from environment variables or configuration files and stored in memory as plain text strings without any encryption or secure handling. An attacker who gains initial access to the server (e.g., via SSH compromise, container breakout, or another vulnerability) can exploit this by dumping the process memory to extract these keys, enabling unauthorized use of the tunneling service to create tunnels, intercept traffic, or impersonate legitimate clients. The vulnerability in tunnelto_server/src/config.rs allows sensitive API keys and secret keys to be loaded from environment variables or configuration files and stored in memory as plain text strings without any encryption or secure handling. An attacker who gains initial access to the server (e.g., via SSH compromise, container breakout, or another vulnerability) can exploit this by dumping the process memory to extract these keys, enabling unauthorized use of the tunneling service to create tunnels, intercept traffic, or impersonate legitimate clients. ```bash # Step 1: Assume attacker has gained shell access to the server running tunnelto_server # (This could be via SSH, a web vulnerability, or container compromise - prerequisite access is needed) # Step 2: Identify the PID of the tunnelto_server process ps aux | grep tunnelto_server # Example output: root 12345 0.1 0.5 45678 23456 ? Ssl 10:00 0:05 /usr/bin/tunnelto_server # Step 3: Use gcore (part of gdb) to dump the process memory to a file # This requires gdb to be installed on the system gcore 12345 # Replace 12345 with actual PID from step 2 # This creates a core dump file named 'core.12345' # Step 4: Extract readable strings from the core dump and search for the keys # The keys are stored as plain strings in memory, so strings will reveal them strings core.12345 | grep -E "(auth|secret|key)" | head -20 # Look for patterns like "authentication_key_value_here" or "secret_key_value_here" # Example output might include: authentication_key=abcd1234efgh5678, secret_key=ijkl9012mnop3456 # Step 5: Use extracted keys to exploit the service # With the keys, attacker can now interact with the tunnelto API or client # For example, if the auth key is used for client authentication, set it as env var and run client export TUNNELTO_AUTH_KEY=abcd1234efgh5678 # Replace with extracted key export TUNNELTO_SECRET_KEY=ijkl9012mnop3456 # Replace with extracted key tunnelto --port 8080 # Creates an unauthorized tunnel, potentially exposing attacker's local service # Or, if the server has an API endpoint, use the keys to make authenticated requests to control tunnels curl -H "Authorization: Bearer abcd1234efgh5678" https://tunnelto-server.example.com/api/tunnels ``` If environment variables are directly accessible (e.g., in a container without proper isolation), a simpler exploit could involve reading them directly: ```bash # Direct env var reading if shell access allows echo $TUNNELTO_AUTH_KEY # Assuming this is the env var name based on code structure echo $TUNNELTO_SECRET_KEY # Output: abcd1234efgh5678, ijkl9012mnop3456 ``` #### Exploitation Impact Assessment | Impact Category | Severity | Description | |-----------------|----------|-------------| | Data Exposure | High | The authentication and secret keys are directly exposed, allowing attackers to access and control all active tunnels managed by the server. This could lead to interception of user traffic through tunnels (e.g., exposing private APIs, databases, or web apps behind tunnels), potentially leaking sensitive user data like credentials, personal information, or business secrets if tunnels are used for internal services. | | System Compromise | Medium | With the keys, attackers gain effective control over the tunneling service but not direct system access. They could execute arbitrary tunnel creations or modifications, but escalation to full host compromise would require chaining with other vulnerabilities (e.g., if tunnels expose vulnerable services). No direct code execution on the server is enabled by this vuln alone. | | Operational Impact | High | Attackers could flood the server with unauthorized tunnels, exhausting resources (CPU, bandwidth, ports) and causing denial-of-service for legitimate users. The server might become unresponsive, requiring restarts or scaling adjustments, with potential downtime lasting hours to days depending on monitoring and auto-scaling setup. | | Compliance Risk | High | Violates security best practices like OWASP Top 10 A05:2021 (Security Misconfiguration) and could breach GDPR if tunnels expose EU user data without proper access controls. For regulated industries (e.g., if used in fintech or healthcare deployments), it risks PCI-DSS or HIPAA non-compliance by enabling unauthorized data access, potentially triggering audits, fines, or legal action. | ### Vulnerability Details - **Rule ID**: `V-001` - **File**: `tunnelto_server/src/config.rs` - **Description**: API keys and secret keys are loaded from environment variables or configuration files without encryption in tunnelto_server/src/config.rs. The authentication_key() method at line 33 and secret_key() method at line 66 retrieve sensitive credentials from plain environment variables or unencrypted configuration fields. These keys are stored in memory as plain strings without any encryption or secure storage mechanism. ### Changes Made This automated fix addresses the vulnerability by applying security best practices. ### Files Modified - `tunnelto_server/src/config.rs` - `tunnelto_server/src/main.rs` - `tunnelto_server/src/network/server.rs` ### Verification This fix has been automatically verified through: - ✅ Build verification - ✅ Scanner re-scan - ✅ LLM code review 🤖 This PR was automatically generated. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>