Skip to content

Security audit — full code review & offensive assessment #178

Description

@juev

Security audit — full code review & offensive assessment

Type: tracking issue (meta) · Scope: self-assessment by maintainers

Goal

Conduct a structured security review of nebula-mgmt and nebula-agent,
combining a full source audit with an attacker-centric assessment. We treat
the control plane as a high-value target: it holds CA private keys, operator
credentials, enrollment tokens, and the authority to sign certificates that
grant access to the overlay network.

Threat objectives under test

  1. Key extraction — recover CA private key material or the master KEK
    (NEBULA_MGMT_MASTER_KEY) at rest or at runtime.
  2. Host management takeover — issue, revoke, or rotate certificates or
    alter firewall rules without proper authorization.
  3. Network access — obtain a signed host certificate and reach another
    user's devices on the mesh.
  4. Tenant isolation break — escalate from a non-admin operator to all
    operators' CAs and hosts ("all users on the server").

Methodology

  • STRIDE threat model per entry point (management API, web UI, agent
    enroll/poll, OIDC, CLI, config).
  • Source audit per package (auth, pki, keystore, api, store, web, agent,
    ratelimit, config) — authz boundaries, crypto, input validation,
    injection, secrets handling.
  • Offensive testing against a local instance: auth bypass, token reuse,
    IDOR/tenancy break, certificate-issuance abuse, enrollment forgery.
  • Tooling baseline: govulncheck, gosec, golangci-lint, generative fuzzing
    (ADR 0009).

Reporting

  • This issue tracks progress and methodology only.
  • Confirmed vulnerabilities are reported privately via
    GitHub Security Advisories (see SECURITY.md) and fixed before disclosure.
  • Negative results (attempted-and-failed attacks) are documented to record
    what the design already withstands.

Checklist

Metadata

Metadata

Assignees

Labels

securitySecurity-related

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions