Missing Tls in Cockroachdb
How Missing Tls Manifests in Cockroachdb
Missing TLS in CockroachDB creates a critical vulnerability where database connections transmit credentials and sensitive data in plaintext. This manifests in several CockroachDB-specific ways:
- Default insecure connections: CockroachDB nodes listen on port 26257 without TLS by default, allowing any network attacker to intercept SQL traffic
- Admin UI exposure: The web UI on port 8080 serves without authentication or encryption, exposing cluster metrics and configuration
- Node-to-node communication: Without proper TLS configuration, inter-node replication traffic flows unencrypted across your network
- Application connection strings: Developers often use insecure connection strings like
postgresql://user:password@host:26257/dbnamewithoutsslmodeparameters
The attack surface is particularly severe because CockroachDB uses the PostgreSQL wire protocol, making it compatible with standard PostgreSQL tooling that defaults to insecure connections. An attacker on the same network can use tools like pg_dump or psql to connect without authentication and extract data.
Consider this vulnerable connection pattern common in CockroachDB applications:
// VULNERABLE: No TLS verification
db, err := sql.Open("cockroachdb",
"postgresql://admin:password@10.0.0.5:26257/defaultdb?sslmode=disable")
This allows a man-in-the-middle attacker to intercept the admin credentials and all subsequent queries. The lack of certificate verification means the client cannot confirm it's connecting to the legitimate database.
Cockroachdb-Specific Detection
Detecting missing TLS in CockroachDB requires examining both configuration files and network behavior. Here's how to identify this vulnerability:
Configuration Analysis
Check your cockroach.yaml or environment variables for TLS settings:
# INSECURE CONFIGURATION
# No certificates specified
listener:
address: 0.0.0.0
port: 26257
tls_enabled: false
Look for missing tls_key, tls_cert, and tls_root_cafile parameters in your node configuration.
Network Scanning
Use openssl s_client to test TLS support:
# Test if port 26257 accepts TLS
openssl s_client -connect localhost:26257 -showcertsIf this fails or shows no certificates, TLS is not properly configured.
Application Code Audit
Search for connection strings with insecure parameters:
// Patterns to search for:
// sslmode=disable
// sslmode=allow
// sslmode=prefer
// No sslmode parameter at all
middleBrick's API security scanner automatically detects these issues by analyzing connection patterns and testing endpoints without credentials. It identifies:
- Unencrypted database endpoints accepting connections
- Admin UI interfaces without authentication
- Application code with insecure connection parameters
- Network traffic analysis showing plaintext database communications
The scanner tests the unauthenticated attack surface, so it can detect missing TLS even without database credentials by attempting connections and analyzing responses.
Cockroachdb-Specific Remediation
Securing CockroachDB requires both node-level TLS configuration and application-level connection security. Here's the complete remediation approach:
Node Configuration
Generate and configure TLS certificates for your CockroachDB cluster:
# Generate CA and node certificates
cockroach cert create-ca \
--certs-dir=certs \
--ca-key=my-safe-directory/ca.key
cockroach cert create-node \
localhost \
$(hostname) \
--certs-dir=certs \
--ca-key=my-safe-directory/ca.key
Update your cockroach.yaml:
listener:
address: 0.0.0.0
port: 26257
tls_enabled: true
tls_key: certs/node.key
tls_cert: certs/node.crt
tls_root_cafile: certs/ca.crt
Application Connection Security
Update your Go applications to use secure connections:
import (
"crypto/tls"
"crypto/x509"
"database/sql"
"io/ioutil"
"log"
_ "github.com/lib/pq"
)
func secureConnection() *sql.DB {
// Load CA certificate
caCert, err := ioutil.ReadFile("certs/ca.crt")
if err != nil {
log.Fatal(err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
// Configure TLS
tlsConfig := &tls.Config{
RootCAs: caCertPool,
MinVersion: tls.VersionTLS12,
}
// Connect with sslmode=verify-full for maximum security
connStr := "postgresql://admin:password@10.0.0.5:26257/defaultdb?sslmode=verify-full"
db, err := sql.Open("cockroachdb", connStr)
if err != nil {
log.Fatal(err)
}
// Test the connection
if err := db.Ping(); err != nil {
log.Fatal(err)
}
return db
}
Admin UI Security
Secure the Admin UI with TLS and authentication:
# Start CockroachDB with UI security
cockroach start \
--insecure=false \
--ca-key=my-safe-directory/ca.key \
--http-host=0.0.0.0 \
--http-port=8080 \
--http-cert=certs/node.crt \
--http-key=certs/node.key
Enable HTTP authentication in your configuration:
http:
enabled: true
tls_enabled: true
cert_file: certs/node.crt
key_file: certs/node.key
auth_session_timeout: 20m
middleBrick's scanner validates these configurations by testing both the SQL interface and Admin UI, ensuring TLS is properly implemented and that no plaintext endpoints remain accessible.
Related CWEs: encryption
| CWE ID | Name | Severity |
|---|---|---|
| CWE-319 | Cleartext Transmission of Sensitive Information | HIGH |
| CWE-295 | Improper Certificate Validation | HIGH |
| CWE-326 | Inadequate Encryption Strength | HIGH |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | HIGH |
| CWE-328 | Use of Weak Hash | HIGH |
| CWE-330 | Use of Insufficiently Random Values | HIGH |
| CWE-338 | Use of Cryptographically Weak PRNG | MEDIUM |
| CWE-693 | Protection Mechanism Failure | MEDIUM |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation | HIGH |
| CWE-261 | Weak Encoding for Password | HIGH |