[Bug]: Insecure remote configuration fetch allows MitM config tampering #485
Description
Bug Description
ConfigurationManager._fetch_remote_configuration() in netsecgame/game/configuration_manager.py fetches configuration over plaintext HTTP and accepts remote data without authentication or integrity verification.
Current flow (configuration_manager.py:48-90):
- Uses
http://{service_host}:{service_port}/cyst_init_objects. - Accepts response JSON and immediately loads it into:
env.configuration.general.load_configuration(config_data)ConfigParser(config_dict=config_data)
- Uses broad
except Exceptionwith fallback to local file, which can mask security-relevant remote-fetch failures. - Logs full fetched config data at debug level (
Received config data: {config_data}).
Security impact:
- On-path attacker can tamper with remote configuration and influence goals, rewards, starting positions, topology, and security toggles.
- Failure handling may hide remote tampering/fetch failures behind local fallback.
- Debug logging may expose sensitive configuration details.
Steps to Reproduce
- Start coordinator with remote config service configured (
service_host,service_port). - Intercept traffic between coordinator and config service.
- Tamper with HTTP response to
/cyst_init_objects. - Return crafted JSON that changes rewards/win conditions/starting positions/security flags.
- Observe coordinator loads attacker-controlled config.
Expected Behavior
- Use authenticated secure transport for remote config fetch (TLS + service authentication).
- Enforce integrity verification before loading config.
- Avoid broad exception swallowing that masks deliberate remote fetch failures.
- Do not log full remote configuration payloads.
- If fallback to local config occurs after remote failure, emit explicit high-visibility warning with security context.
Version
Current main branch (as of 2026-03-05)
Installation / Deployment Method
Running locally from source