get_app_env_encrypt_pub_key unauthenticated — app_id enumeration #564
Description
The /prpc/Kms.GetPublicKey endpoint in dstack/kms/src/main_service.rs returns the KMS root public key without requiring any authentication, allowing any network client to retrieve it.
Root Cause
The get_app_env_encrypt_pub_key endpoint returns app-specific encryption public keys without requiring any authentication (no mTLS, no admin token, no attestation). While the returned key is a public key (not a secret), the endpoint allows unauthenticated callers to enumerate valid app_id values by observing which requests return keys versus errors.
Attack Path
- Attacker discovers the KMS endpoint
- Attacker calls
get_app_env_encrypt_pub_keywith variousapp_idvalues - Successful responses indicate valid app_ids; errors indicate invalid ones
- Attacker builds a list of all active applications registered with the KMS
- This information can be used to target specific applications in subsequent attacks
Impact
Information disclosure — an attacker can enumerate all registered application IDs. This is low severity because app_ids may not be secret, and the returned public keys are not sensitive. However, the enumeration provides reconnaissance value for targeted attacks against specific applications.
Suggested Fix
Require at minimum mTLS authentication for this endpoint, or return a consistent response (e.g., a dummy public key) for both valid and invalid app_ids to prevent enumeration.
Note: This issue was created automatically. The vulnerability report was generated by Claude and has not been verified by a human.