SPO Relay Node Security - Vulnerability Assessment of Relay Node Security

[GENERAL] Name and surname of main applicant

Robert LaRose - Stratous Security Solutions LLC (S³)

[GENERAL] Email address of main applicant

pc@stratous.io

Additional applicants

N/A

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

12

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language.

No

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

No

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.” .

N/A

[GENERAL] Will your project’s output/s be fully open source?

Yes

[GENERAL] If NO, please describe which outputs are not going to be open source. If YES, please write “Project will be fully open source.”

Our project aligns more to R&D, however all of our findings will be responsibly shared with Project Catalyst, IOHK and the Cardano community.

[METADATA] Category of proposal

SPOs

[METADATA] SDG rating

N/A

[IMPACT] Please describe your proposed solution.

Our objective is to perform external/application-based vulnerability assessments on all current Cardano relay nodes, establish a baseline of vulnerabilities, and prioritize identified vulnerabilities with risk recommendations to help strengthen node security. Additional analysis will be provided to the correlation of data exposed on the dark web such as; usernames, passwords, impersonations and any indicators of device compromise. 

[IMPACT] How does your proposed solution address the challenge and what benefits will this bring to the Cardano ecosystem?

To thoroughly understand our proposed solution, we must first understand the problem at hand. Please view the expanded statements below:

Problem statement

Via a sample of publicly available data Stratous Security Solutions (S³) observed several relay nodes were found to have misconfigured ports and vulnerable software. Grafana vulnerabilities in particular have been observed to be actively exploited in the wild (CVE-2021-43798). This may further pose a threat to the availability & integrity of relay nodes if exploited via Directory Traversal & Cross-Site Scripting (XSS) based attacks. Proactively establishing a baseline of vulnerabilities that exist within our ecosystem will not only assist with shrinking the attack surface of relay nodes, but also protect SPO assets & strengthen Cardano security standards.

Problem Statement Expanded:

Our journey of analyzing relay node vulnerabilities began approximately in late 2021 as an independent research effort for the Cardano community. We manually utilized public facing information from indexing service Shodan.io to identify potential vulnerabilities and associated risk. This was measured against a sample size of 300 relay nodes. If unfamiliar, Shodan is an openly available search engine for any device(s) exposed to the internet. Please note: Shodan does not exploit vulnerabilities it identifies, but rather highlights them. Furthermore, S³ does not participate in exploiting any vulnerabilities identified. A sample of vulnerabilities observed during our analysis can be seen below:

●       Multiple Grafana Vulnerabilities: CVE-2021-43813, CVE-2022-21713, CVE-2021-39226, CVE-2021-43815, CVE-2022-35957, CVE-2022-39307, CVE-2022-21703, CVE-2022-31107, CVE-2022-39229, CVE-2023-0594, CVE-2022-39201, CVE-2022-21702, CVE-2022-36062, CVE-2022-21673, CVE-2022-39324, CVE-2022-31130, CVE-2022-31123

 

●       Consumer grade routers accessible externally (RT-AC86U).

 

●        Internet of Things (IoT) devices such as IP cameras were found to be accessible on relay nodes.

● Shared Server(s) - Relay/Core nodes

 

●       Secure Shell (SSH)

 

o  Default port utilized.

o  Key-Based Authentication (not configured).

o  Multiple OpenSSH Vulnerabilities (unpatched).

●       Deprecated, misconfigured and exposed ports & services not limited to:

o  FTP – Port 21

o  RPC – Port 1361

o  NETBIOS: 139

o  SNMP – Port 161

o  SMB – Port 445

o  Remote Desktop Protocol (RDP) – Port 3389

Objective:

Our objective is to specifically align with Cardano’s proactive philosophy towards security via adopting a pre-emptive cyber security strategy that will directly assist SPOs in protecting their assets from malicious attacks and system compromise.

How will we achieve this goal?

●       Vulnerability Scanning: Identify vulnerable and misconfigured relay nodes.

●       Threat Intelligence: Aggregate data from the dark web to increase visibility of potential risks.

●       Analysis: Vulnerability prioritization and analyst recommendations for remediation.

●       Report: Generate human readable cyber security reports.

How does this benefit Cardano and SPOs?

●       Awareness: External attack surface shrinks as SPO’s become aware of unknown vulnerabilities and misconfigurations.

●       Value: External assessments can range from several hundred dollars to a few thousand.

●       Support: SPOs can directly & immediately leverage our expertise within the Cardano ecosystem.

Helping establish vulnerability baselines and refining SPO security standards will not only immediately help strengthen Cardano’s network security posture and network availability, but further exemplify Cardano as a leader in the space.

[IMPACT] How do you intend to measure the success of your project?

Success of our project is simply not weighed upon the completion of our assessment, but the overall impact we have on the community. Undoubtedly security measures and best practices will immediately improve upon the release of our findings. Providing digestible security recommendations is key as we understand that not all SPO’s are security experts, however we do understand that most are conscious of the importance of protecting the operation of their stake pools. Our success will be ultimately measured by the SPO’s implementation of our recommendations and community feedback. 

[IMPACT] Please describe your plans to share the outputs and results of your project?

Data will be published and released to the Project Catalyst Team, IOHK and will be further used to help strengthen SPO node security standards in future proposals.

[CAPABILITY/ FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability?

Our team will be leveraging Project Management tools such as Asana/Monday to keep track and delegate tasks accordingly. This remains critical to the success of the project and will more importantly grant Project Catalyst immediate insight and verification abilities for project milestones and outstanding items. With respect to the Project Catalyst team and the Cardano community, we understand the importance of effective communication and transparency.

[CAPABILITY/ FEASIBILITY] What are the main goals for the project and how will you validate if your approach is feasible?

Our primary objective is to establish vulnerability baselines that will directly aid protecting SPOs assets and refining SPOs node security standards. This will not only immediately help strengthen Cardano’s network security posture and network availability, but further exemplify Cardano as a leader in the space.

Unique challenges :

●       Cost: Good vulnerability scanning tools can be extremely expensive especially when IP counts increase. However, over the last year we have had the opportunity to narrow down a few options that will complete our objective. In preparation of this assessment, we are actively maintaining communication with several vendors to ensure expenditure budgets remain realistic.

●       IP Blocklist: Vulnerability scanner IP’s may be blocked by hosting providers, thus hindering our ability to collect vulnerability data from the 1341 relay nodes. Should this issue arise, S³ may leverage additional vulnerability scanners to achieve milestone goals. This may cause a slight delay; however, this will not hamper our ability to complete the overall objective.

●       Volatility: ADA prices can be volatile dependent upon market conditions. This may create a few hurdles with respect to expenses and tools needed to complete the assessment. To combat this in a proactive manner, we are prepared to satisfy the cost of all necessary tools immediately upon funding of our project. 

[CAPABILITY/ FEASIBILITY] Please provide a detailed breakdown of your project’s milestones and each of the main tasks or activities to reach the milestone plus the expected timeline for the delivery.

Q1 & Q2

●       Acquire the most current list of relay nodes and configure vulnerability scanners. 300 relay nodes will be scanned during the first quarter. (Q1)

●       Review all findings and perform a detailed analysis of all vulnerabilities identified. Distinguishing false positives and verifying inherent risk are key. Any critical vulnerabilities or sensitive information that may affect the availability or integrity of the relay node will be immediately communicated to the corresponding SPO. (Q1)

●       Correlate dark web findings to vulnerabilities observed. Should any user credential be identified during this process, S³ will immediately alert the SPO. (Q1)

●       Scan all remaining relay nodes (1041*) and perform all necessary analysis. (Q2- Early Q3)

●       Perform dark web correlation on remaining relay nodes and alert any SPOs accordingly of any data leaks or sensitive information/data observed. (Q2)

Q3 & Q4

●       Compile a list of vulnerability findings and compromised credentials observed over the past two (Q1-Q2) quarters for reporting purposes. (Q3)

●       Begin the process of generating a digestible and human readable report of our assessment for the Project Catalyst Team, IOHK and the community. (Q3)

●       Deliverable: Final report will be published and released to the Project Catalyst Team, IOHK and the community. (Q4)

*Adjustments in delivery may be necessary with regards to catalyst funding iterations.

[CAPABILITY/ FEASIBILITY] Please describe the deliverables, outputs and intended outcomes of each milestone.

Our deliverable(s) will not only include individual assessment results for each relay node scanned, but an aggregated report of all findings with expert recommendation. Our team will be actively leveraging industry leading Project Management tools such as Asana/Monday to track and measure progress.

[RESOURCES & VALUE FOR MONEY] Please provide a detailed budget breakdown of the proposed work and resources.

One of our biggest expenses will be vulnerability scanners. Though more cost-effective options exist, top tier vulnerability scanners will produce better results and yield fewer problems. Furthermore, the use of multiple vulnerability scanners will allow us to identify any potential gaps that were overlooked with the first scanner. Vulnerability Scanners will account or exceed 50% of our proposed budget. A secondary vulnerability scanner will be also leveraged to cover potential gaps.

Tools:

External & Web Application Vulnerability Scanners (Unauthenticated Scans):

● Total: $185k 

• Great web application and vulnerability scanners are typically expensive. Top tier ethical hacking application scanners range from $100 - 5k per relay node. Due to the amount of relay nodes to be assessed, we have identified three scanners that we have found to be realistic for the proposed budget and have produced excellent results for our Cardano-based clients.

Scope/Work Hours: 1100*

● $165k

• Avg. Security Analyst Salary: $80k - 100k
• Avg. Security Architect Salary: $116K
• Avg. Penetration Tester Salary: $121k

○ Breakdown (Time Spent): 

○ Vulnerability Scanner Implementation & Troubleshooting - 5%

○ Vulnerability Analysis & Risk Recommendations - 50%

○ Dark Web Hunting/Monitoring - 25%

○ Alerting SPOs of Potential Threats: 5%

○ Report Generation/Data Visualization - 15%

*Minimum hours expected. We expect to exceed the allotted hours as this process can be fairly intensive. 

Taxes:

● $25.4k (Tax rate 8.25%)

Total:

● $345k: ₳1,045,454 - 1341/2757 Relay Nodes to be analyzed ( Confidence Level of 99% / Margin of error 2.5%).

• Vulnerability Assessment Cost Per Relay Node: $257

Key Edits:

• Previous ask: - ₳2,772,413 --> Adjusted to ₳2,233,333 on 07/14/2023 (ADA price adjustment)**
• Vulnerability Assessment Cost Per Relay Node: $287

Thanks Innovatio!

[RESOURCES & VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

Tools:

External & Web Application Vulnerability Scanners (Unauthenticated Scans):

● Total: $185k 

• Great web application and vulnerability scanners are typically expensive. Top tier ethical hacking application scanners range from $100 - 5k per relay node. Due to the amount of relay nodes to be assessed, we have identified three scanners that we have found to be realistic for the proposed budget and have produced excellent results for our Cardano-based clients. A secondary vulnerability scanner will be also leveraged to cover potential gaps.

Scope/Work Hours: 1100*

● $165k

• Avg. Security Analyst Salary: $80k - 100k
• Avg. Security Architect Salary: $116K
• Avg. Penetration Tester Salary: $121k

○ Breakdown (Time Spent): 

○ Vulnerability Scanner Implementation & Troubleshooting - 5%

○ Vulnerability Analysis & Risk Recommendations - 50%

○ Dark Web Hunting/Monitoring - 25%

○ Alerting SPOs of Potential Threats: 5%

○ Report Generation/Data Visualization - 15%

*Minimum hours expected. We expect to exceed the allotted hours as this process can be fairly intensive. 

Taxes:

● $25.4k (Tax rate 8.25%)

Total:

● $345k: ₳1,045,454 - 1341/2757 Relay Nodes to be analyzed ( Confidence Level of 99% / Margin of error 2.5%).

[IMPORTANT NOTE] The Applicant agreed to Fund10 rules and also that data in the Submission Form and other data provided by the project team during the course of the project will be publicly available.

I Accept