threat-modeling.md

Threat Model Analysis for bitwarden/server

Threat: Rogue Bitwarden Server

• Description: An attacker sets up a fake Bitwarden server using techniques like DNS poisoning, ARP spoofing, or compromising a network device. The attacker's server presents a valid-looking (but attacker-controlled) TLS certificate. This allows the attacker to intercept traffic intended for the legitimate server.
• Impact: Complete compromise of user credentials and potential access to encrypted vault data (which the attacker cannot decrypt without the master password, but could hold hostage or corrupt).
• Affected Component: Entire server infrastructure; specifically, the TLS termination point and any network-facing components.
• Risk Severity: Critical
• Mitigation Strategies:
  • Enforce strong TLS (TLS 1.3 only, with strong ciphers and forward secrecy).
  • Use HSTS with a long max-age.
  • Regularly audit TLS configuration.

Threat: User Impersonation (Credential Stuffing/Brute Force) - Server-Side Impact

• Description: While initiated by an attacker against a user, the server is the component that must defend against successful impersonation. An attacker uses stolen credentials or brute-force attacks to guess a user's master password or bypass 2FA on the server.
• Impact: Unauthorized access to a user's Bitwarden vault, leading to the compromise of all stored secrets.
• Affected Component: Authentication module (IdentityServer project, specifically authentication endpoints and related logic).
• Risk Severity: Critical
• Mitigation Strategies:
  • Implement strict, adaptive rate limiting on login attempts (both IP-based and account-based).
  • Lock accounts after a small number of failed login attempts.
  • Use Argon2id with appropriate parameters for password hashing.
  • Ensure 2FA cannot be easily bypassed (e.g., through password reset flows) on the server. The server must correctly validate 2FA.

Threat: Server Code Modification

• Description: An attacker gains access to the server's filesystem (e.g., through a vulnerability in a dependency, a misconfigured server, or a compromised administrator account) and modifies the server's code to introduce a backdoor or weaken security.
• Impact: Complete control over the server, allowing the attacker to steal data, modify user vaults, or disrupt service.
• Affected Component: All server components are potentially vulnerable.
• Risk Severity: Critical
• Mitigation Strategies:
  • Use containerization (Docker) with minimal privileges. Deploy on a hardened operating system.
  • File Integrity Monitoring (FIM): Monitor critical files and directories for changes.
  • Implement a secure update process and keep all software up-to-date.
  • Run the server process with the lowest possible privileges.
  • Digitally sign releases to verify integrity.

Threat: Vault Data Corruption

• Description: An attacker gains write access to the database and modifies or deletes encrypted vault data. While they cannot decrypt the data, they can cause data loss or denial of service.
• Impact: Loss of user vault data, potentially causing significant disruption and damage.
• Affected Component: Database interaction layer (SqlServerDataContext, PostgreSqlDataContext, etc., and related database access code).
• Risk Severity: High
• Mitigation Strategies:
  • Strong database passwords, restricted network access, encryption at rest.
  • Implement checksums or other integrity checks on stored vault data within the server code. This is essential.
  • Encrypted, secure, and regularly tested backups.
  • Grant the Bitwarden server application only the necessary permissions to the database (read, write, but not schema modification).

Threat: In-Transit Data Tampering (Post-Decryption/Pre-Encryption)

• Description: An attacker compromises the server process itself (e.g., through a memory corruption vulnerability) and modifies data after TLS decryption or before TLS encryption. This is a very sophisticated attack.
• Impact: Potential leakage or modification of sensitive data, even with TLS in place.
• Affected Component: Any component handling sensitive data in memory (e.g., API controllers, data access layers).
• Risk Severity: High
• Mitigation Strategies:
  • Use memory-safe languages (like Rust) where possible, or employ robust memory protection techniques (ASLR, DEP/NX).
  • Rigorous input validation before any processing.
  • Security Audits: Focus on identifying memory corruption vulnerabilities.

Threat: Resource Exhaustion

• Description: An attacker sends a large number of requests to the server, consuming its resources (CPU, memory, network bandwidth) and making it unavailable to legitimate users.
• Impact: Service outage, preventing users from accessing their vaults.
• Affected Component: All server components, particularly API endpoints.
• Risk Severity: High
• Mitigation Strategies:
  • Implement rate limiting on all API endpoints.
  • Configure resource limits for the server process.
  • Use a DDoS protection service.
  • Distribute traffic across multiple server instances using a load balancer.
  • Optimize code for performance and resource usage.

Threat: Privilege Escalation Vulnerability

• Description: An attacker exploits a vulnerability (e.g., a buffer overflow, command injection, or a logic flaw) to gain higher privileges on the server (e.g., escalating from a regular user to an administrator, or from the application user to root).
• Impact: Complete control over the server, allowing the attacker to access all data and potentially compromise the entire system.
• Affected Component: Any component that handles user input or performs privileged operations.
• Risk Severity: Critical
• Mitigation Strategies:
  • Run the server with minimal privileges.
  • Follow secure coding guidelines to prevent common vulnerabilities.
  • Strictly validate all user input.
  • Conduct code reviews and penetration testing.
  • Implement role-based access control to limit user permissions within the server application.