Landscape Server

Apache server-status is accessible after default installation

Bug #1929037 reported by Anton
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Landscape Server
Fix Released
Critical
Simon Poirier
Landscape Server 19.10.5

Bug Description

Hi team!

Apache server-status page as usual contains sensitive information such as current hosts and requests being processed, the number of workers idle and service requests, and CPU utilization. Sometimes it may contain secret data for example API keys in the request path or URL to a private document stored in the server.

This endpoint is opened to everyone after Landscape installation using Quickstart deployment (https://docs.ubuntu.com/landscape/en/landscape-install-quickstart) or using Manual installation with a default config (https://docs.ubuntu.com/landscape/en/landscape-install-manual).
Apache conf:
...
RewriteCond %{REQUEST_URI} !^/server-status
...

Very small administrators restrict access to this endpoint after installation. You can see for yourself by using Shodan to search for Landscape servers and try to visit /server-status endpoint:
1. Login/Register to your Shodan account
2. Visit https://www.shodan.io/search?query=html%3A%22Welcome%21+-+Landscape%22&page=1
3. Try to visit /server-status endpoint on found servers

Impact
An attacker can obtain information about requests which contain sensitive data (client IP addresses). Also, it may contain secret data for example API keys in the request path or URL to a private document stored in the server.

Mitigation
Restrict access to this endpoint from outside by default.

CVE References

Revision history for this message
Anton (ivanovant) wrote :

I have realized, that this bug is more seriouos than I thought. Landscape provides API, and crucially, while API is using through HTTP requests, all secrets are send via GET parameters, for example (https://landscape.canonical.com/static/doc/api/requests.html):
https://landscape.canonical.com/api/
    ?action=GetComputers&
    access_key_id=0GS7553JW74RRM612K02EXAMPLE&
    signature_method=HmacSHA256&
    signature_version=2&
    timestamp=2011-08-18T08%3A07%3A00Z&
    version=2011-08-01&
    signature=W1TCDh39uBCk9MlaZo941Z8%2BTWqRtdgnbCueBrx%2BtvA%3D
All GET parameters will be shown at /server-status endpoint. The attacker can't create arbitrary API request, because he hasn't API secret key, but he can repeat requests performed by legitimate users within some timeframe.
For example, he can get private information by repeating GetSettings API request, or perform unauthorized actions using RebootComputers API request.

Revision history for this message
Simon Poirier (simpoir) wrote :

My first feeling was this might have been a bad default from the apache package for enabling mod_status.
But it's definitely bad from our side to proxy requests to local mod-status from the outside.
Will fix that ASAP

Changed in landscape:
status: New → Triaged
importance: Undecided → Critical
Revision history for this message
Anton (ivanovant) wrote :

Hello!

Thank for the update. Will you assign CVE for this bug?

Simon Poirier (simpoir)
Changed in landscape:
assignee: nobody → Simon Poirier (simpoir)
status: Triaged → In Progress
Simon Poirier (simpoir)
Changed in landscape:
milestone: none → 19.10.5
Simon Poirier (simpoir)
Changed in landscape:
status: In Progress → Fix Released
Anton (ivanovant)
information type: Private Security → Public
Alex Murray (alexmurray)
information type: Public → Public Security
Revision history for this message
Mark Esler (eslerm) wrote :

Thank you for reporting this vulnerability Anton.

Please refer to this vulnerability as CVE-2023-32550.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.