LDAP Bind credentials world readable in docker #47
Assignees
Comments
|
Thanks @gentoo9ball. I've pushed a fix up to a development branch that will be merged in here when I do the next release (in the next week or so). See 02e8f53 if you want the details of the patch for your local instance before that. |
mmguero
added
nginx
|
For release in 3.1.1 |
mmguero
added a commit
to cisagov/Malcolm
that referenced
this issue
Jul 9, 2021
v3.1.1 development * New features * ["Best Guess" Fingerprinting for ICS Protocols](idaholab#49) - In an effort to help identify more ICS traffic, Malcolm can use "buest guess" method based on transport protocol (e.g., TCP or UDP) and port(s) to categorize potential traffic communicating over some ICS protocols without full parser support. This feature involves a [mapping table](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess_ics_map.txt) and a [Zeek script](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess.zeek) to look up the transport protocol and destination and/or source port to make a best guess at whether a connection belongs to one of those protocols. These potential ICS communications are categorized by vendor where possible. The list of ICS protocols' ports was adapted from various public sources, including, but not limited to, [Grassmarlin](https://github.com/nsacyber/GRASSMARLIN/tree/master/GM3/data/fingerprint)'s fingerprints and [ITI/ICS-Security-Tools](https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md)' list of Control Systems Ports. * Improvements and bug fixes * Allow configuring the number of concurrent requests for ClamAV scanning, Yara and Capa via environment variables (`CLAMD_MAX_REQUESTS`, `YARA_MAX_REQUESTS` and `CAPA_MAX_REQUESTS`) * Zeek plugins to detect [CVE-2021-31166](https://github.com/corelight/CVE-2021-31166) and [pingback](https://github.com/corelight/pingback) vulnerabilities * Move creation of custom fields and views to [Arkime's config.ini](https://arkime.com/settings#custom-fields) * LDAP bind credentials world readable in docker (idaholab#47 and #171) * Deny access to uploaded files (#170) * Version bumps * Yara to 4.1.1 * Zeek to 4.0.3 * Spicy to 1.1.0 * Alpine to 3.14 * NGINX to 1.20.1 * Linux kernel to 5.10 (for ISO installs) * urllib3 to 1.26.5 (#169)
mmguero
added a commit
that referenced
this issue
Jul 9, 2021
Merge remote-tracking branch 'cisa/master' * New features * ["Best Guess" Fingerprinting for ICS Protocols](#49) - In an effort to help identify more ICS traffic, Malcolm can use "buest guess" method based on transport protocol (e.g., TCP or UDP) and port(s) to categorize potential traffic communicating over some ICS protocols without full parser support. This feature involves a [mapping table](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess_ics_map.txt) and a [Zeek script](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess.zeek) to look up the transport protocol and destination and/or source port to make a best guess at whether a connection belongs to one of those protocols. These potential ICS communications are categorized by vendor where possible. The list of ICS protocols' ports was adapted from various public sources, including, but not limited to, [Grassmarlin](https://github.com/nsacyber/GRASSMARLIN/tree/master/GM3/data/fingerprint)'s fingerprints and [ITI/ICS-Security-Tools](https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md)' list of Control Systems Ports. * Improvements and bug fixes * Allow configuring the number of concurrent requests for ClamAV scanning, Yara and Capa via environment variables (`CLAMD_MAX_REQUESTS`, `YARA_MAX_REQUESTS` and `CAPA_MAX_REQUESTS`) * Zeek plugins to detect [CVE-2021-31166](https://github.com/corelight/CVE-2021-31166) and [pingback](https://github.com/corelight/pingback) vulnerabilities * Move creation of custom fields and views to [Arkime's config.ini](https://arkime.com/settings#custom-fields) * LDAP bind credentials world readable in docker (#47 and cisagov#171) * Deny access to uploaded files (cisagov#170) * Version bumps * Yara to 4.1.1 * Zeek to 4.0.3 * Spicy to 1.1.0 * Alpine to 3.14 * NGINX to 1.20.1 * Linux kernel to 5.10 (for ISO installs) * urllib3 to 1.26.5 (cisagov#169)
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 9, 2021
v3.1.1 development * New features * ["Best Guess" Fingerprinting for ICS Protocols](idaholab#49) - In an effort to help identify more ICS traffic, Malcolm can use "buest guess" method based on transport protocol (e.g., TCP or UDP) and port(s) to categorize potential traffic communicating over some ICS protocols without full parser support. This feature involves a [mapping table](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess_ics_map.txt) and a [Zeek script](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess.zeek) to look up the transport protocol and destination and/or source port to make a best guess at whether a connection belongs to one of those protocols. These potential ICS communications are categorized by vendor where possible. The list of ICS protocols' ports was adapted from various public sources, including, but not limited to, [Grassmarlin](https://github.com/nsacyber/GRASSMARLIN/tree/master/GM3/data/fingerprint)'s fingerprints and [ITI/ICS-Security-Tools](https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md)' list of Control Systems Ports. * Improvements and bug fixes * Allow configuring the number of concurrent requests for ClamAV scanning, Yara and Capa via environment variables (`CLAMD_MAX_REQUESTS`, `YARA_MAX_REQUESTS` and `CAPA_MAX_REQUESTS`) * Zeek plugins to detect [CVE-2021-31166](https://github.com/corelight/CVE-2021-31166) and [pingback](https://github.com/corelight/pingback) vulnerabilities * Move creation of custom fields and views to [Arkime's config.ini](https://arkime.com/settings#custom-fields) * LDAP bind credentials world readable in docker (idaholab#47 and cisagov#171) * Deny access to uploaded files (cisagov#170) * Version bumps * Yara to 4.1.1 * Zeek to 4.0.3 * Spicy to 1.1.0 * Alpine to 3.14 * NGINX to 1.20.1 * Linux kernel to 5.10 (for ISO installs) * urllib3 to 1.26.5 (cisagov#169)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
created from cisagov#171
🐛 Summary
What's wrong? Please be specific.
LDAP Bind credentials in this file are readable by anyone. Can we put some permissions on the file when it gets created in the nginx entrypoint?
-rw-r--r-- /var/lib/docker/overlay2/*****/diff/etc/nginx/nginx_ldap_rt.conf
To reproduce
Steps to reproduce the behavior:
Expected behavior
Readable only by user running nginx
What did you expect to happen that didn't?
Any helpful log output or screenshots
Paste the results here:
Add any screenshots of the problem here.
The text was updated successfully, but these errors were encountered: