zui icon indicating copy to clipboard operation
zui copied to clipboard

Published 20 hours ago verified publisher icon brimdata

Security risk: vulnerable to dns rebinding attacks

Open ttttmr opened this issue 2 years ago • 2 comments

Brim listens on port 9867 by default, without authentication, without checking host, you can use dns rebinding attack to obtain data in brim

Attack example

The victim opens brim and imports pcap for analysis Analysis found a url, copied and opened in browser (it was a malicious link) The website uses dns rebinding to attack brim (port 9867) to obtain data (just like the client)

Mitigation

Check the host, only allow localhost or 127.0.0.1, no other hosts are allowed Or use authentication, preferably randomly generated password or listen on a random port (increase the cost of the attack, but it can still be attacked in essence)

ttttmr avatar Jan 11 '22 07:01 ttttmr

@ttttmr Thank you for bringing this to my attention. I'll be working with the backend zed serve team to find a way to fix this.

jameskerr avatar Jan 12 '22 16:01 jameskerr

Also, thank you for the clear example and the steps to mitigate. That was very helpful.

jameskerr avatar Jan 12 '22 16:01 jameskerr