Apache server-status is accessible after default installation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Landscape Server |
Fix Released
|
Critical
|
Simon Poirier |
Bug Description
Hi team!
Apache server-status page as usual contains sensitive information such as current hosts and requests being processed, the number of workers idle and service requests, and CPU utilization. Sometimes it may contain secret data for example API keys in the request path or URL to a private document stored in the server.
This endpoint is opened to everyone after Landscape installation using Quickstart deployment (https:/
Apache conf:
...
RewriteCond %{REQUEST_URI} !^/server-status
...
Very small administrators restrict access to this endpoint after installation. You can see for yourself by using Shodan to search for Landscape servers and try to visit /server-status endpoint:
1. Login/Register to your Shodan account
2. Visit https:/
3. Try to visit /server-status endpoint on found servers
Impact
An attacker can obtain information about requests which contain sensitive data (client IP addresses). Also, it may contain secret data for example API keys in the request path or URL to a private document stored in the server.
Mitigation
Restrict access to this endpoint from outside by default.
CVE References
Changed in landscape: | |
assignee: | nobody → Simon Poirier (simpoir) |
status: | Triaged → In Progress |
Changed in landscape: | |
milestone: | none → 19.10.5 |
Changed in landscape: | |
status: | In Progress → Fix Released |
information type: | Private Security → Public |
information type: | Public → Public Security |
I have realized, that this bug is more seriouos than I thought. Landscape provides API, and crucially, while API is using through HTTP requests, all secrets are send via GET parameters, for example (https:/ /landscape. canonical. com/static/ doc/api/ requests. html): /landscape. canonical. com/api/ GetComputers& key_id= 0GS7553JW74RRM6 12K02EXAMPLE& method= HmacSHA256& version= 2& 2011-08- 18T08%3A07% 3A00Z& 2011-08- 01& W1TCDh39uBCk9Ml aZo941Z8% 2BTWqRtdgnbCueB rx%2BtvA% 3D
https:/
?action=
access_
signature_
signature_
timestamp=
version=
signature=
All GET parameters will be shown at /server-status endpoint. The attacker can't create arbitrary API request, because he hasn't API secret key, but he can repeat requests performed by legitimate users within some timeframe.
For example, he can get private information by repeating GetSettings API request, or perform unauthorized actions using RebootComputers API request.