Executive Intelligence Brief

A critical vulnerability in Clauster, tracked under GHSA-h4g2-xfmw-q2c9, allows unauthenticated access to the dashboard and API when deployed on non-loopback addresses with default authentication settings. This issue, rated with a CVSS score of 8.7, affects all versions up to 0.2.1. Successful exploitation grants an attacker full control over the dashboard, enabling actions such as listing projects, spawning/stopping bridges, editing files, and cloning repositories, effectively leading to remote code execution in those projects. The recommended immediate action is to set `auth.enabled` to `true` or restrict access to loopback addresses with secure authentication mechanisms.

Threat Overview

Clauster is a tool used for managing dashboards and APIs. It is used in various deployments, including Docker environments. The vulnerability arises when Clauster is bound to a non-loopback address (e.g., `0.0.0.0` or a LAN IP) and `auth.enabled` is left at its default setting of `false`. Even if an operator has configured a password, the instance can still serve the dashboard and API without any authentication. This issue is particularly severe because it provides an unauthenticated attacker with network access to the instance full control over the dashboard.

Technical Deep Dive

Vulnerability Classification

The vulnerability can be classified under CWE-306: Missing Authentication for Critical Function. This class of vulnerability occurs when an application does not require authentication to access critical functions or data. In this case, the critical function is accessing and controlling the dashboard and API of Clauster.

Root Cause Analysis

The root cause of this vulnerability lies in the configuration validation and runtime authentication guard mechanisms of Clauster. The configuration validator checks for different flags depending on the bind address. For non-loopback addresses, it requires only one of `auth.password_required`, `auth.reverse_proxy.enabled`, or `auth.allow_unauthenticated_network` to be set, not `auth.enabled`. Meanwhile, the runtime authentication guard only enforces authentication when `config.auth.enabled` is `true`. If `auth.enabled` is `false`, it allows every request to pass through unauthenticated.

Attack Vector & Chain

The attack vector involves an unauthenticated attacker with network access to the Clauster instance. The attack chain starts with the attacker discovering the vulnerable instance, then exploiting the lack of authentication to gain access to the dashboard and API. The preconditions include the instance being bound to a non-loopback address and `auth.enabled` being set to `false`.

Exploitation Scenario Walkthrough

Scenario: Unauthenticated Access to Clauster Dashboard
Reconnaissance: An attacker discovers a Clauster instance bound to a non-loopback address (e.g., `0.0.0.0`) with `auth.enabled` set to `false`.
Weaponization: The attacker prepares by noting the IP address and port of the Clauster instance.
Delivery & Exploitation: The attacker sends a request to `http://:7621/api/instances`. The server responds with a `200` status code and the full instance list without requiring any credentials.
Post-Exploitation: With access to the dashboard, the attacker can list projects, spawn/stop bridges in any project directory, edit `CLAUDE.md`, read bridge logs, and clone repositories, effectively achieving remote code execution.
Impact Realization: The attacker gains full control over the dashboard and can execute code in project directories, leading to potential data breaches, system compromise, and supply chain poisoning.

Exploitation in the Wild

There is no indication that this vulnerability is actively exploited in the wild. However, given its severity and the straightforward nature of exploitation, it is likely that attackers will target this vulnerability if not promptly patched.

Impact Analysis

Direct Impact

The direct impact of this vulnerability includes unauthenticated access to the Clauster dashboard and API, allowing for remote code execution in project directories. This can lead to data breaches, system compromise, and potential supply chain attacks.

Downstream & Cascading Effects

Downstream effects may include compromised project directories, data exfiltration, and lateral movement within networks. The cascading effects could involve reputational damage, regulatory implications, and operational disruptions.

Affected Products & Versions

All released versions of Clauster up to 0.2.1 are affected. The vulnerability is addressed in version 0.2.2, where the configuration validator is modified to fail closed, requiring authentication for non-loopback binds.

Detection & Threat Hunting

Indicators of Compromise

Indicators of compromise include unusual API requests, unfamiliar projects or bridges in the dashboard, and logs indicating unauthorized access attempts.

Detection Rules & Signatures

Detection rules should monitor for unauthenticated API requests, especially those coming from non-loopback addresses. Behavioral patterns indicating exploitation include successful API calls without authentication and changes to project directories or configurations.

Threat Hunting Queries

Threat hunting queries should focus on API logs, authentication attempts, and changes in dashboard configurations. Queries may include searching for requests from unknown IP addresses or monitoring for unusual activity in project directories.

Remediation & Hardening

Immediate Actions (0-24 hours)

Immediately set `auth.enabled` to `true` in `clauster.yml` or set `CLAUSTER_AUTH_ENABLED=true` for Docker deployments. Ensure that `auth.password_required` and a valid `auth.password_hash` are configured.

Short-Term Hardening (1-7 days)

In addition to setting `auth.enabled` to `true`, consider binding Clauster to loopback addresses and accessing it through an SSH tunnel or a trusted authenticating reverse proxy.

Strategic Recommendations

Long-term recommendations include regularly reviewing and updating Clauster configurations, ensuring proper authentication and authorization mechanisms are in place, and monitoring for unusual activity.

Analyst Assessment

The risk of this vulnerability is high due to its severity, ease of exploitation, and potential impact. Organizations should prioritize patching or mitigating this vulnerability as soon as possible to prevent potential compromise.

Sources

  • GitHub Security Advisories: GHSA-h4g2-xfmw-q2c9