RustFS Denial-of-Service Vulnerability in gRPC GetMetrics Handling

A denial-of-service vulnerability has been identified in RustFS, a distributed object storage system, affecting versions 1.0.0-alpha.13 prior to 1.0.0-alpha.77. The issue arises in the gRPC GetMetrics request handling, where malformed requests lead to a panic in the server. This panic occurs because the handler unconditionally unwraps the deserialization of 'metric_type' and 'opts', allowing remote attackers to disrupt the metrics service by causing the server to crash. The vulnerability can be exploited by sending invalid deserialization payloads, such as empty or truncated data, which triggers a panic and terminates the handling thread, causing a temporary outage of the metrics endpoint.

Impact

Exploitation of this vulnerability causes a panic in the gRPC handler, terminating the worker thread and disrupting the metrics service. This interruption can lead to process instability, depending on how runtime crashes are managed.

Reproduction

To reproduce this vulnerability, upload the provided proof-of-concept file 'rustfs-grpc-metrics-invalid-metric-type-panic-poc.tar.gz' to a RustFS instance running version 1.0.0-alpha.13 through 1.0.0-alpha.77. The service should be started with default access and secret keys, and the gRPC endpoint should be accessible on port 9000. Once the server is running, send a GetMetrics request with an invalid metric_type payload, such as an empty string or a malformed option. The server will panic and crash, disrupting the metrics service.

Remediation

Users can upgrade to RustFS version 1.0.0-alpha.78 to address this vulnerability.