A few years back, CNCF began performing and open sourcing third-party security audits for projects to improve the overall security of our ecosystem. These audits have helped identify security issues, from general weaknesses to critical vulnerabilities, and given project maintainers a roadmap for addressing the identified vulnerabilities and adding documentation to help users.
Most recently, Cure53 completed an audit of SPIRE, part of the SPIFFE project. SPIRE (the SPIFFE Runtime Environment) is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms. The audit was completed in early 2021 and open sourced in mid-2021.
The audit focused on three areas: the security posture of the SPIRE project and software complex, a source code audit of the SPIRE code base, and a penetration test against SPIRE deployment.
The audit found that SPIRE is a secure project created with security in mind. The Cure53 team did not find any severe (or Critical) security flaws within the project. It did find a couple of minor vulnerabilities and implementation issues worth fixing, ranging from medium to high, including:
- CVE-2021-27099: Path normalization in Spiffe ID allows impersonation (Medium)
- CVE-2021-27098: Server impersonation through legacy node API (High)
According to the Cure53 team, “the codebase, together with its extensive documentation, is very clean, well-structured and easy to follow. Despite the fact that there are some weaknesses here and there, like outdated third-party libraries (see SPI-01-005), or lacking input validation (as in [CVE-2021-27099]), the overall quality of the whole project can be judged as quite mature.”
“Overall, we were very pleased with both the process and the outcome of this audit,” said Evan Gilman, SPIRE project maintainer. “Not only were we provided with valuable feedback that helped us to improve the quality of the SPIRE software and processes, but we were also able to validate that our approach to this difficult and security-critical problem space is sound and stands up to close scrutiny.”