A hardcoded secret key in the RustFS distributed storage system enables unauthorized internode communication and potential data access if default configurations are not overridden.

The application utilizes a hardcoded DEFAULT_SECRET_KEY ("rustfsadmin") for HMAC-SHA256 signature validation in the internode RPC layer. This key is used when the RUSTFS_RPC_SECRET environment variable or the global S3 secret key is not explicitly set, effectively allowing an unauthenticated attacker to forge valid authentication requests.

With a CVSS score of 9.8, this is a critical vulnerability. An attacker capable of communicating with the internode RPC port could authenticate as a trusted node, potentially accessing, modifying, or deleting stored objects. This results in a severe breach of data confidentiality and integrity within the storage cluster.

Immediate Action: Upgrade RustFS to version 1.0.0-beta.2 or later, and ensure that a strong, unique secret key is configured via the RUSTFS_RPC_SECRET environment variable.

Proactive Monitoring: Audit RPC traffic for unauthorized authentication attempts or communication from nodes not belonging to the trusted cluster.

Compensating Controls: Use network-level segmentation or mTLS to ensure that only authorized internal nodes can communicate over the RPC port, effectively isolating the service from untrusted networks.

Public Exploit Available: false

The reliance on a hardcoded secret key is a significant security oversight. Organizations must upgrade to the patched version and immediately rotate any secrets that may have been exposed by relying on the default configuration.