Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a remote command execution vulnerability on version 0.12-1.0 #295

Open
xu-xiang opened this issue Dec 10, 2019 · 3 comments
Open

Comments

@xu-xiang
Copy link

vulnerability info

After the default deployment of Fluentd-ui, it is not mandatory to change the password and there is a default password.

$ sudo /usr/sbin/td-agent-ui start
Puma 2.9.2 starting...
* Min threads: 0, max threads: 16
* Environment: production
* Listening on tcp://0.0.0.0:9292

Then, open http://localhost:9292/ by your browser.
The default account is username="admin" and password="changeme"

And there is a built-in command execution plug-in for flund. Therefore, in the case of replacement after deployment, there is a remote command execution vulnerability.

in_exec is included in Fluentd's core. No additional installation process is required.
<source>
  @type exec
  command cmd arg arg
  keys k1,k2,k3
  tag_key k1
  time_key k2
  time_format %Y-%m-%d %H:%M:%S
  run_interval 10s
</source>

Many products have the same function,but security by default

such as:

Permissions
Because malicious users sometimes attempt to elevate their privileges by using xp_cmdshell, xp_cmdshell is disabled by default. Use sp_configure or Policy Based Management to enable it. For more information, see xp_cmdshell Server Configuration Option.

When first enabled, xp_cmdshell requires CONTROL SERVER permission to execute and the Windows process created by xp_cmdshell has the same security context as the SQL Server service account. The SQL Server service account often has more permissions than are necessary for the work performed by the process created by xp_cmdshell. To enhance security, access to xp_cmdshell should be restricted to highly privileged users.

Security recommendations

By default, security should adhere to the default security principles.

  • First, the in_exec Input plugin should be disabled by default. If the user actually uses the function, it should be turned on separately. This can protect all users who do not use the function
  • In addition, the login password should be randomly generated or changed after the first login.
@ganmacs
Copy link
Member

ganmacs commented Dec 10, 2019

this issue is fluent-ui's one. I'll transfer this issue to https://github.com/fluent/fluentd-ui/

@ganmacs ganmacs transferred this issue from fluent/fluentd Dec 12, 2019
@ashie
Copy link
Member

ashie commented Mar 9, 2020

* In addition, the login password should be randomly generated or changed after the first login.

Changing password is notified:

password-change-notification

@postmodern
Copy link

Hello, one of the maintainers of ruby-advisory-db here, and I was wondering if this vulnerability (aka GHSA-wrxf-x8rm-6ggg / CVE-2020-21514) was ever patched? Was it really patched in 1.0? GHSA-wrxf-x8rm-6ggg claims the vulnerability was never patched, and I would like to be sure before adding it to ruby-advisory-db.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants