Security audit — full code review & offensive assessment
Type: tracking issue (meta) · Scope: self-assessment by maintainers
Goal
Conduct a structured security review of nebula-mgmt and nebula-agent,
combining a full source audit with an attacker-centric assessment. We treat
the control plane as a high-value target: it holds CA private keys, operator
credentials, enrollment tokens, and the authority to sign certificates that
grant access to the overlay network.
Threat objectives under test
- Key extraction — recover CA private key material or the master KEK
(NEBULA_MGMT_MASTER_KEY) at rest or at runtime.
- Host management takeover — issue, revoke, or rotate certificates or
alter firewall rules without proper authorization.
- Network access — obtain a signed host certificate and reach another
user's devices on the mesh.
- Tenant isolation break — escalate from a non-admin operator to all
operators' CAs and hosts ("all users on the server").
Methodology
- STRIDE threat model per entry point (management API, web UI, agent
enroll/poll, OIDC, CLI, config).
- Source audit per package (auth, pki, keystore, api, store, web, agent,
ratelimit, config) — authz boundaries, crypto, input validation,
injection, secrets handling.
- Offensive testing against a local instance: auth bypass, token reuse,
IDOR/tenancy break, certificate-issuance abuse, enrollment forgery.
- Tooling baseline: govulncheck, gosec, golangci-lint, generative fuzzing
(ADR 0009).
Reporting
- This issue tracks progress and methodology only.
- Confirmed vulnerabilities are reported privately via
GitHub Security Advisories (see SECURITY.md) and fixed before disclosure.
- Negative results (attempted-and-failed attacks) are documented to record
what the design already withstands.
Checklist
Security audit — full code review & offensive assessment
Type: tracking issue (meta) · Scope: self-assessment by maintainers
Goal
Conduct a structured security review of
nebula-mgmtandnebula-agent,combining a full source audit with an attacker-centric assessment. We treat
the control plane as a high-value target: it holds CA private keys, operator
credentials, enrollment tokens, and the authority to sign certificates that
grant access to the overlay network.
Threat objectives under test
(
NEBULA_MGMT_MASTER_KEY) at rest or at runtime.alter firewall rules without proper authorization.
user's devices on the mesh.
operators' CAs and hosts ("all users on the server").
Methodology
enroll/poll, OIDC, CLI, config).
ratelimit, config) — authz boundaries, crypto, input validation,
injection, secrets handling.
IDOR/tenancy break, certificate-issuance abuse, enrollment forgery.
(ADR 0009).
Reporting
GitHub Security Advisories (see SECURITY.md) and fixed before disclosure.
what the design already withstands.
Checklist