fluentd-ui icon indicating copy to clipboard operation
fluentd-ui copied to clipboard
verified publisher icon fluent

There is a remote command execution vulnerability on version 0.12-1.0

Open xu-xiang opened this issue 6 years ago • 6 comments

vulnerability info

After the default deployment of Fluentd-ui, it is not mandatory to change the password and there is a default password.

$ sudo /usr/sbin/td-agent-ui start
Puma 2.9.2 starting...
* Min threads: 0, max threads: 16
* Environment: production
* Listening on tcp://0.0.0.0:9292

Then, open http://localhost:9292/ by your browser.
The default account is username="admin" and password="changeme"

And there is a built-in command execution plug-in for flund. Therefore, in the case of replacement after deployment, there is a remote command execution vulnerability.

in_exec is included in Fluentd's core. No additional installation process is required.
<source>
  @type exec
  command cmd arg arg
  keys k1,k2,k3
  tag_key k1
  time_key k2
  time_format %Y-%m-%d %H:%M:%S
  run_interval 10s
</source>

Many products have the same function,but security by default

such as:

Permissions
Because malicious users sometimes attempt to elevate their privileges by using xp_cmdshell, xp_cmdshell is disabled by default. Use sp_configure or Policy Based Management to enable it. For more information, see xp_cmdshell Server Configuration Option.

When first enabled, xp_cmdshell requires CONTROL SERVER permission to execute and the Windows process created by xp_cmdshell has the same security context as the SQL Server service account. The SQL Server service account often has more permissions than are necessary for the work performed by the process created by xp_cmdshell. To enhance security, access to xp_cmdshell should be restricted to highly privileged users.

Security recommendations

By default, security should adhere to the default security principles.

  • First, the in_exec Input plugin should be disabled by default. If the user actually uses the function, it should be turned on separately. This can protect all users who do not use the function
  • In addition, the login password should be randomly generated or changed after the first login.

xu-xiang avatar Dec 10 '19 06:12 xu-xiang

this issue is fluent-ui's one. I'll transfer this issue to https://github.com/fluent/fluentd-ui/

ganmacs avatar Dec 10 '19 07:12 ganmacs 

* In addition, the login password should be randomly generated or changed after the first login.

Changing password is notified:

  • https://github.com/fluent/fluentd-ui/issues/1

password-change-notification

ashie avatar Mar 09 '20 03:03 ashie

Hello, one of the maintainers of ruby-advisory-db here, and I was wondering if this vulnerability (aka GHSA-wrxf-x8rm-6ggg / CVE-2020-21514) was ever patched? Was it really patched in 1.0? GHSA-wrxf-x8rm-6ggg claims the vulnerability was never patched, and I would like to be sure before adding it to ruby-advisory-db.

postmodern avatar Aug 12 '23 13:08 postmodern