Skip to content
This issue was transferred here.

/prometheus

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nessus reports CGI security issues on the prometheus server. #5439

Closed
reachlin opened this Issue Apr 9, 2019 · 4 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@reachlin @hoffie @beorn7 @brian-brazil
@reachlin
Copy link

reachlin commented Apr 9, 2019

We found the following issues on the prometheus server by Nessus:

  • CGI Generic Command Execution (time-based). It may be possible to run arbitrary code on the remote web server.
  • CGI Generic SQL Injection (blind). A CGI application hosted on the remote web server is potentially prone to SQL injection attack.
  • CGI Generic SQL Injection (blind, time based). A CGI application hosted on the remote web server is potentially prone to SQL injection attack.
@hoffie

This comment has been minimized.

Sign in to view
Copy link

hoffie commented Apr 9, 2019

Can you provide som more details on the actual requests? Maybe Nessus has them, if not, try capturing them using tcpdump or debug logs.

I highly suspect that these are false positives. Prometheus does not execute external commands, so I don't see a way for code execution via shell injection. Classical buffer overflows are also unlikely due to usage of Go.

Regarding SQL injection: Nessus may detect the PromQL-supporting APIs as SQL injection. However, this is by design. I guess most people with critical production data bind Prometheus to localhost and permit external access via an authenticating reverse proxy only.
@reachlin

This comment has been minimized.

Sign in to view
Copy link
Author

reachlin commented Apr 9, 2019
edited 

 (TCP/30915) Vulnerability State: New
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to arbitrary command execution (time based) :
+ The 'id' parameter of the /manager/logs CGI :
/manager/logs?id=650572%7C%7C%20sleep%205%20%26
-------- output --------
<html>
<head><title>Blackbox Exporter</title></head>
<body>
<h1>Blackbox Exporter</h1>
<p><a href="/probe?target=prometheus.io&module=http_2xx">Probe pro [...]
<p><a href="/probe?target=prometheus.io&module=http_2xx&debug=true [...]
<p><a href="/metrics">Metrics</a></p>
<p><a href="/config">Configuration</a></p>
9
<h2>Recent Probes</h2>
<table border='1'><tr><th>Module</th><th>Target</th><th>Result</th [...]
[...]
(TCP/30915) Vulnerability State: New
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to arbitrary command execution (time based) :
+ The 'debug' parameter of the /probe CGI :
/probe?target=prometheus.io&module=http_2xx&debug=true%20;%20x%20%7C%7C%
20sleep%203%20%26
-------- output --------
------------------------
@beorn7

This comment has been minimized.

Sign in to view
Copy link
Member

beorn7 commented Apr 9, 2019

  • The reported output appears to be from the blackbox exporter, not from the Prometheus server.
  • Prometheus doesn't use SQL databases.
  • There is no /manager/logs endpoint. What you are seeing is the default page. It doesn't even process the id URL parameter.
  • Certainly, the /probe endpoint does a lot of things. Some time based scanning method would be naturally noisy here.

This all looks like false positive. Nothing hints towards an actual problem.
@brian-brazil

This comment has been minimized.

Sign in to view
Copy link
Member

brian-brazil commented Apr 9, 2019

Agreed, dupe of prometheus/blackbox_exporter#456

@brian-brazil brian-brazil closed this Apr 9, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.