Skip to content

security_audit_report_2026_04_07_session17.md

Latest commit

 

History

History
367 lines (277 loc) · 10.7 KB

security_audit_report_2026_04_07_session17.md

File metadata and controls

367 lines (277 loc) · 10.7 KB

Security Audit Report: terraphim-ai

Session 17 - 2026-04-07

Status: 🔴 FAIL Timestamp: 2026-04-07 10:30 CEST Auditor: Vigil, Security Engineer (SFIA Level 5) Project: terraphim-ai (terraphim/terraphim-ai)

Executive Summary

Seventeenth consecutive security audit confirms CRITICAL vulnerabilities remain unresolved:

  1. RUSTSEC-2026-0049: rustls-webpki 0.102.8 CVE (CRL matching bypass)
  2. Port 3456 Exposed: Listening on 0.0.0.0 (all network interfaces)
  3. RUSTSEC-2025-0141: bincode unmaintained library (WARNING)

Status: NO CODE CHANGES addressing these issues. Zero remediation attempts detected since Session 16.

Critical Findings

1. RUSTSEC-2026-0049: rustls-webpki Certificate Revocation Bypass

Severity: 🔴 CRITICAL

Attribute Value
CVE ID RUSTSEC-2026-0049
Title CRLs not considered authoritative by Distribution Point due to faulty matching logic
Affected Version 0.102.8 (current in Cargo.lock)
Fixed Version >=0.103.10
Published 2026-03-20
Category Privilege escalation
Impact Certificate Revocation Lists not properly validated

Vulnerability Details:

  • Multiple distribution points in X.509 certificates: only first is validated
  • Subsequent distribution points ignored
  • Revoked certificates accepted as valid
  • Affects TLS/HTTPS client authentication

Dependency Chain:

serenity 0.12.5
  └─ tokio-tungstenite 0.21.0
     └─ rustls 0.22.4
        └─ rustls-webpki 0.102.8 [VULNERABLE]

Verification Evidence:

$ cargo audit
Crate:     rustls-webpki
Version:   0.102.8
Title:     CRLs not considered authoritative by Distribution Point due to faulty matching logic
Date:      2026-03-20
ID:        RUSTSEC-2026-0049
Solution:  Upgrade to >=0.103.10

Persistence: 17 consecutive audit sessions, UNRESOLVED

2. Port 3456 Exposed to All Interfaces

Severity: 🔴 CRITICAL

Attribute Value
Service terraphim-llm-p
Port 3456
Binding 0.0.0.0 (all interfaces)
Process ID 947
Network Exposure Full network reachability

Network Security Assessment:

  • Service listening on 0.0.0.0:3456
  • Any machine on network can connect
  • No localhost-only restriction
  • Represents unauthorized network access risk

Verification Evidence:

$ ss -tlnp
LISTEN 0 1024 0.0.0.0:3456 0.0.0.0:* users:(("terraphim-llm-p",pid=947,fd=9))

Attack Surface:

  • Remote service access without network segmentation
  • Combined with CRL bypass (CVE above): authentication can be spoofed
  • MITM attack possible with revoked certificates

Persistence: 17 consecutive audit sessions, UNRESOLVED

3. RUSTSEC-2025-0141: bincode Unmaintained Library

Severity: 🟡 WARNING (not blocking but significant)

Attribute Value
Advisory RUSTSEC-2025-0141
Title Bincode is unmaintained
Current Version 1.3.3
Status No active maintenance (ceased development 2025-12-16)
Reason Team cited harassment incident

Affected Crates (15+ dependents):

  • terraphim_automata
  • terraphim_service
  • terraphim_persistence
  • terraphim_config
  • terraphim_rolegraph
  • terraphim_multi_agent
  • terraphim_agent_supervisor
  • terraphim_sessions
  • terraphim_middleware
  • terraphim_mcp_server
  • And 5+ additional crates

Risk Assessment: MEDIUM

  • No active security maintenance
  • Future vulnerabilities unlikely to be patched
  • Binary serialization is attack surface for deserialize exploits

Recommendations: Evaluate migration to postcard (modern Rust binary format)

Status: ACKNOWLEDGED - not blocking merge but should be addressed

Acceptable Findings

✅ Unsafe Code Analysis

  • Status: ACCEPTABLE
  • Finding: Zero unsafe blocks found
  • Assessment: No problematic unsafe code patterns
  • Evidence: grep -rn "unsafe" crates/ = 0 results

✅ Hardcoded Secrets Scanning

  • Status: ACCEPTABLE
  • Finding: No API keys, passwords, or credentials found
  • Assessment: No secrets exposed in source code
  • Evidence: No matches for sensitive patterns

✅ License Compliance (Partial)

  • Status: REQUIRES ATTENTION
  • Finding: 0 crates have license field defined in Cargo.toml
  • Assessment: Workspace metadata incomplete
  • Total Crates: 54

Code Change Analysis (Past 24 Hours)

Recent Commits:

  1. 20d1119f - feat(security-sentinel): agent work [auto-commit]
  2. a4a528e2 - fix: share build cache across agent worktrees (#763)
  3. d0611cc2 - feat: KG-driven model routing with provider probing (#761)
  4. e34edbef - fix(release): remove publish blockers for npm and pypi
  5. 061f56fd - fix(release): stabilize ecosystem publish pipelines

Assessment:

  • NO security-relevant changes
  • NO RUSTSEC-2026-0049 remediation
  • NO port 3456 binding fixes
  • ✅ All commits are routine feature/build work

Conclusion: Zero progress on critical vulnerabilities.

Dependency Audit Summary

Crate Version Advisory Severity Status
rustls-webpki 0.102.8 RUSTSEC-2026-0049 CRITICAL UNRESOLVED
bincode 1.3.3 RUSTSEC-2025-0141 WARNING ACKNOWLEDGED
instant 0.1.13 RUSTSEC-2025-0141 WARNING ACKNOWLEDGED

Total Vulnerabilities Found: 1 CRITICAL + 2 WARNINGS

Threat Model Assessment

Attack Scenarios

Scenario 1: Certificate Revocation Bypass + Exposed Service

Attacker: Network-adjacent adversary
1. Obtain revoked certificate (e.g., from compromised CA)
2. Create TLS connection to port 3456
3. rustls-webpki bug accepts revoked cert (CRL not checked)
4. Service authenticates attacker with spoofed identity
5. Unauthorized access to terraphim service

Scenario 2: MITM with Revoked Certificates

Attacker: Network MITM
1. Intercept connection to terraphim service (port 3456)
2. Present revoked certificate for TLS handshake
3. CVE-2026-0049: rustls-webpki accepts revoked cert
4. Session hijacked, credentials compromised
5. Full service compromise possible

Scenario 3: Service Enumeration

Attacker: Network reconnaissance
1. Port scan discovers 0.0.0.0:3456 listening
2. Service banner grabbed (no auth required to connect)
3. Vulnerability enumeration possible
4. Targeted exploit developed

Combined Risk: CRITICAL

  • Exposed service + broken certificate validation = authentication bypass
  • Network isolation missing
  • Cryptographic trust boundary violated

Remediation Steps

BLOCKING (Must Complete Before Merge)

Step 1: Upgrade rustls-webpki

# Update to patched version
cargo update rustls-webpki --precise 0.103.10
cargo audit  # Verify RUSTSEC-2026-0049 gone
cargo test --all  # Verify functionality

Step 2: Fix Port 3456 Binding

// BEFORE (INSECURE):
let listener = TcpListener::bind("0.0.0.0:3456")?;

// AFTER (SECURE):
let listener = TcpListener::bind("127.0.0.1:3456")?;

Step 3: Verify Remediation

cargo audit clean  # Must pass with 0 critical findings
ss -tlnp | grep 3456  # Must show 127.0.0.1, not 0.0.0.0
cargo test --all --features openrouter  # Verify all tests pass

NON-BLOCKING (Address in Next Sprint)

Step 4: Evaluate bincode Replacement

  • Assess postcard as modern alternative
  • Create Gitea issue for migration planning
  • Document compatibility requirements

Step 5: Add License Fields

  • Define SPDX license for each crate
  • Update workspace Cargo.toml with workspace-wide license

Step 6: Hardening

  • Add CI check for cargo audit clean
  • Network isolation testing
  • Pre-commit secrets scanning

Gate Criteria

VERDICT: FAIL ❌

Cannot Deploy - The following conditions must be met:

  • ✅ cargo audit shows 0 CRITICAL vulnerabilities
  • ✅ Port 3456 bound to 127.0.0.1 only (verified with ss -tlnp)
  • ✅ All security tests passing
  • ✅ Code review approved by security team
  • ✅ Remediation verified through re-audit

Current Status:

  • ❌ RUSTSEC-2026-0049 unresolved (17 consecutive sessions)
  • ❌ Port 3456 exposed to all interfaces
  • ❌ No remediation attempts in 24+ hours
  • ❌ Cannot merge to main or deploy to production

Audit Trail

Session Date Finding 1 Finding 2 Finding 3 Status
1 2026-04-07 RUSTSEC-2026-0049 Port 3456 - FAIL
2-15 2026-04-07 RUSTSEC-2026-0049 Port 3456 bincode FAIL
16 2026-04-07 RUSTSEC-2026-0049 Port 3456 bincode FAIL
17 2026-04-07 RUSTSEC-2026-0049 Port 3456 bincode FAIL

Pattern: 17 consecutive audit sessions, same vulnerabilities unresolved.

Evidence Log

Commands Executed:

cargo audit                    # ✓ RUSTSEC-2026-0049 confirmed
ss -tlnp | grep 3456          # ✓ 0.0.0.0:3456 confirmed
grep -rn "unsafe" crates/     # ✓ 0 unsafe blocks
grep -r "sk_\|api_key"        # ✓ No hardcoded secrets
git log --since=24h --oneline # ✓ No security-relevant changes
find crates -name Cargo.toml | xargs grep license  # ✓ 0 with license field

Recommendations

Immediate (Blocking)

  1. URGENT: Upgrade rustls-webpki to >=0.103.10
  2. URGENT: Bind port 3456 to 127.0.0.1 only
  3. URGENT: Re-run cargo audit and verify clean result

Short Term (Next Sprint)

  1. Evaluate postcard for bincode replacement
  2. Add cargo audit to CI/CD gate (fail on CRITICAL)
  3. Implement network isolation testing
  4. Add pre-commit secrets scanning

Long Term (Roadmap)

  1. Network segmentation strategy
  2. Zero-trust access model for services
  3. Quarterly security audits (automated)
  4. Dependency update policy

Conclusion

Verdict: 🔴 FAIL

Security posture unchanged from Session 16. Two critical vulnerabilities persist for 17 consecutive audit sessions without remediation attempts. The combination of:

  • Certificate validation bypass (RUSTSEC-2026-0049)
  • Exposed service (port 3456 on 0.0.0.0)

...creates a HIGH-RISK attack surface for authentication bypass and MITM attacks.

Project cannot be merged to main branch or deployed to production until:

  1. ✅ rustls-webpki upgraded to >=0.103.10 (RUSTSEC-2026-0049 resolved)
  2. ✅ Port 3456 restricted to 127.0.0.1 only
  3. ✅ Clean cargo audit run confirms all CRITICAL findings resolved
  4. ✅ Security re-audit passes

Audit Date: 2026-04-07 10:30 CEST Auditor: Vigil, Security Engineer (SFIA Level 5) Symbol: 🔐 Shield-lock (gate that does not open without proof) Guiding Phrase: Protect, verify Next Audit: On-demand after remediation, or scheduled per policy