Objective: Compromise Data/Availability of CockroachDB Cluster [CN]
+---------------------------------------------------------------------+
| Attacker's Goal: Compromise Data/Availability of CockroachDB Cluster | [CN]
+---------------------------------------------------------------------+
^
|
+------------------------------+------------------------------+------------------------------+
| | |
+---------+---------+ +---------+---------+ +---------+---------+
| Exploit Network | | Exploit Config | | Exploit Client |
| Vulnerabilities | | & Permissions | | Interaction |
+---------+---------+ +---------+---------+ +---------+---------+
^ ^ ^
| | |
+---------+---------+ +---------+---------+ +---------+---------+
| 1. Intercept | [HR] | 1. Insecure | [HR] | 1. SQL Injection | [HR]
| Traffic | | Defaults | | (CRDB Spec) |
+---------+---------+ +---------+---------+ +---------+---------+
| | |
+---------+---------+ +---------+---------+ +---------+---------+
| 1a. Unencrypted | [HR][CN]| 1a. Weak/Default | [HR][CN]|
| Comms | | Passwords | |
+---------+---------+ +---------+---------+ |
|
+---------+---------+
| 1b. Overly | [HR]
| Permissive |
| Roles |
+---------+---------+
Attack Tree Path: Exploit Network Vulnerabilities [HR]
- 1. Intercept Traffic [HR]
-
Description: The attacker attempts to capture network traffic between clients and the CockroachDB cluster, or between nodes within the cluster.
-
Goal: Obtain sensitive data (queries, results, credentials) or potentially modify traffic (if a MITM is established).
-
1a. Unencrypted Communications [HR][CN]
- Description: Communication between clients and nodes, or between nodes themselves, is not encrypted using TLS. This allows an attacker with network access to passively eavesdrop on all traffic.
- Likelihood: Medium (If TLS is not enforced, it's trivial to intercept)
- Impact: Very High (Complete data exposure)
- Effort: Very Low (Basic network sniffing tools)
- Skill Level: Novice
- Detection Difficulty: Medium (Requires network monitoring, but unencrypted traffic is a clear indicator)
- Mitigation: Enforce TLS encryption for all inter-node and client-node communication. Use strong cipher suites and regularly rotate certificates. Disable any insecure (non-TLS) ports.
-
Attack Tree Path: Exploit Configuration & Permissions [HR]
-
1. Insecure Defaults [HR]
-
Description: The attacker leverages default configurations that are known to be insecure.
-
Goal: Gain unauthorized access or control due to weak security settings.
-
1a. Weak/Default Passwords [HR][CN]
- Description: The
rootuser or other privileged SQL users have weak or default passwords, allowing the attacker to easily gain access. - Likelihood: Medium (Unfortunately common, but easily preventable)
- Impact: High to Very High (Depends on the compromised user's privileges)
- Effort: Very Low (Brute-force or dictionary attacks)
- Skill Level: Novice
- Detection Difficulty: Easy (Failed login attempts can be logged and monitored)
- Mitigation: Never use default passwords. Enforce strong password policies (length, complexity, rotation). Consider using a password manager. Use multi-factor authentication (MFA) where possible.
- Description: The
-
-
1b. Overly Permissive Roles [HR]
- Description: SQL users are granted excessive privileges (e.g.,
adminrole) that are not required for their intended function. This amplifies the impact of any compromised user account. - Likelihood: Medium (Common misconfiguration)
- Impact: High to Very High (Amplifies the impact of other attacks)
- Effort: Very Low (Exploitation is easy once a user account is compromised)
- Skill Level: Novice
- Detection Difficulty: Medium (Requires auditing of user roles and permissions)
- Mitigation: Implement the principle of least privilege. Create specific roles with the minimum necessary permissions for each application or user. Regularly review and audit user roles and permissions.
- Description: SQL users are granted excessive privileges (e.g.,
Attack Tree Path: Exploit Client Interaction [HR]
- 1. SQL Injection (CRDB Specific) [HR]
- Description: The attacker crafts malicious SQL queries that exploit vulnerabilities in the application's handling of user input, potentially allowing them to bypass security controls and access or modify data. This includes potential misuse of CockroachDB-specific features or internal tables.
- Likelihood: Medium (If parameterized queries are not used consistently)
- Impact: High to Very High (Data exfiltration, modification, or deletion)
- Effort: Low to Medium (Depends on the complexity of the injection)
- Skill Level: Intermediate to Advanced (Requires understanding of CockroachDB internals)
- Detection Difficulty: Medium (Requires input validation and monitoring for unusual queries)
- Mitigation: Use parameterized queries exclusively. Never construct SQL queries by concatenating strings with user input. Validate and sanitize all user input, even if you're using parameterized queries (defense in depth). Be aware of CockroachDB-specific functions and system tables and restrict access to them.