Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default config exposes /debug/pprof publicly #852

Closed
riptl opened this issue Aug 27, 2021 · 1 comment · Fixed by #1481
Closed

Default config exposes /debug/pprof publicly #852

riptl opened this issue Aug 27, 2021 · 1 comment · Fixed by #1481
Labels
frozen-due-to-age Locked due to a period of inactivity. Please open new issues or PRs if more discussion is needed. keepalive Never close from staleness

Comments

@riptl
Copy link

riptl commented Aug 27, 2021

Issue

When installing the Grafana Cloud Agent (version 0.17.0) according to documented instructions on a server, the agent is going to expose port 12345 to any address (listening at 0.0.0.0) by default.

This server is also exposing the Go pprof debugging API under http://<server>:12345/debug/pprof/.

This is a minor security vulnerability, and common across the Go ecosystem: https://mmcloughlin.com/posts/your-pprof-is-showing
It is likely that any default installations of Grafana Cloud Agent suffer from this problem.

kubelet had the same issue two years ago (CVE-2019-11248). It was rated CVSS 6.4.

Reproduce

Method 1: All in one script

Follow Grafana Cloud's walkthrough instructions to install Grafana Agent.

Method 2: Manual config generator

Run the following command:

grafana-agentctl cloud-config -u <user> -p "<api_key>"

Substitute <user> for your Grafana Cloud username (numeric) and <api_key> for your API key (beginning with ey...).

It would generate a config like so:

...
server:
  http_listen_port: 12345

When looking at the server config, this will indeed run the service under 0.0.0.0:12345: https://grafana.com/docs/agent/latest/configuration/server-config/

# HTTP server listen host. Used for Agent metrics, integrations, and the Agent
# API.
[http_listen_address: <string> | default = "0.0.0.0"]

# HTTP server listen port
[http_listen_port: <int> | default = 80]

Finally, on your server:

$ sudo netstat -ltupn | grep 12345
tcp6       0      0 :::12345                :::*                    LISTEN      15538/grafana-agent

Fix

The fix is simple: Default http_listen_address to 127.0.0.1.

PS, I could not find any channels for responsible disclosure on your website nor this repo, so I decided to post it here, since the severity is quite low.
@riptl riptl changed the title Server exposed on 0.0.0.0:12345 with pprof metrics by default Default config exposes /debug/pprof publicly Aug 27, 2021
@rfratto
Copy link
Member

rfratto commented Aug 27, 2021

Thanks for reporting. I will talk with the team about this to decide next steps.

@rfratto rfratto added the keepalive Never close from staleness label Aug 27, 2021
rfratto added a commit to rfratto/agent that referenced this issue Mar 10, 2022
@rfratto
server: Change default listen addresses to 127.0.0.1:12345 / 127.0.0.…
dfb6300 
…1:12346

This commit changes the default listen addresses to be 127.0.0.1:12345
(for HTTP) and 127.0.0.1:12346 (for gRPC). This makes listening on all
interfaces opt-in rather than opt-out, avoiding accidental overexposure
of access.

Closes grafana#852.

Additionally, the `-reload-addr` and `-reload-port` flags have been
removed as a follow up to grafana#1476. Now that the HTTP and gRPC server are
static for the lifetime of the application, it is impossible for the
user to change their configuration file in such a way to cause it to
shut down while performing a reload. This means that the `-reload-addr`
and `-reload-port` no longer have a use and can be removed safely.
@rfratto rfratto mentioned this issue Mar 10, 2022
Merged
rfratto added a commit that referenced this issue Mar 14, 2022
@rfratto
server: Change default HTTP/gRPC listen address (#1481)
1a39df4 
* server: Change default listen addresses to 127.0.0.1:12345 / 127.0.0.1:12346

This commit changes the default listen addresses to be 127.0.0.1:12345
(for HTTP) and 127.0.0.1:12346 (for gRPC). This makes listening on all
interfaces opt-in rather than opt-out, avoiding accidental overexposure
of access.

Closes #852.

Additionally, the `-reload-addr` and `-reload-port` flags have been
removed as a follow up to #1476. Now that the HTTP and gRPC server are
static for the lifetime of the application, it is impossible for the
user to change their configuration file in such a way to cause it to
shut down while performing a reload. This means that the `-reload-addr`
and `-reload-port` no longer have a use and can be removed safely.

* fix extra references to old flags / port defaults

* config: fix test

* fix test assertion for reload address change
@github-actions github-actions bot added the frozen-due-to-age Locked due to a period of inactivity. Please open new issues or PRs if more discussion is needed. label Feb 22, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 22, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
frozen-due-to-age Locked due to a period of inactivity. Please open new issues or PRs if more discussion is needed. keepalive Never close from staleness
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

server: Change default HTTP/gRPC listen address rfratto/agent
2 participants
@rfratto @riptl