[CVE-2019-12105] Unauthenticated user can read log files or restart a service

[mnaberez]

Luan Souza ([email protected]) wrote in email:

So, I was search for vulnerabites in my work company and I founded supervisord, it's a good service but the user don't need authetication for view logs ou restart a service, this is a called a misconfiguration, because some people put this online and anyone can acess, and view logs e restart services therefore I submmit to a CVE, they requered to contact the developer to see if will fix the bug and howmuch time is required needed to do.

Best regards,

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    > [Suggested description]
    > In supervisord in Supervisor through 4.0.2,
    > an unauthenticated user can read log files or restart a service.
    >
    > ------------------------------------------
    >
    > [Additional Information]
    > http://supervisord.org/
    >
    > ------------------------------------------
    >
    > [VulnerabilityType Other]
    > Missing Authentication for Critical Function
    >
    > ------------------------------------------
    >
    > [Vendor of Product]
    > Supervisor
    >
    > ------------------------------------------
    >
    > [Affected Product Code Base]
    > Supervisord - <= 4.02
    >
    > ------------------------------------------
    >
    > [Attack Type]
    > Context-dependent
    >
    > ------------------------------------------
    >
    > [Impact Denial of Service]
    > true
    >
    > ------------------------------------------
    >
    > [Impact Information Disclosure]
    > true
    >
    > ------------------------------------------
    >
    > [CVE Impact Other]
    > get sensitive data from logs
    >
    > ------------------------------------------
    >
    > [Attack Vectors]
    > Just open the url and port used by supervisord
    >
    > ------------------------------------------
    >
    > [Discoverer]
    > Luan,monad
    >
    > ------------------------------------------
    >
    > [Reference]
    > http://supervisord.org/configuration.html#supervisorctl-section-settings

    Use CVE-2019-12105.


    - -- 
    CVE Assignment Team
    M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
    [ A PGP key is available for encrypted communications at
      http://cve.mitre.org/cve/request_id.html ]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCAAGBQJc3HCXAAoJEA2h+fVryJLozsAP/3uxZW2MBwAkl2Y5vU/OQzoe
    FuEXyxaPQ/EWAeHpq96JHLsG4ZdWdGd7ZuKdSf3YkT505tZNwo4LONsDejvTO3xZ
    41EGsBJqHcfygUEp1jzo5q+H0Sq5ZvEhP5wkJBSEeaxAlbZXDs7UFgSr+SkDqBYe
    UJjF6gQYhRhMF9XH1fwSBwUgI9AZiubFzb7d4KxRxP/D2y7GkPBzjdKNAiGF4FIk
    /vzSLsAuGePyeMkg9UzMI7BijblMyW8vsTKNwSQtN/Wh1qaBQseuF3S0QZuckeyP
    LkRJOyjnTN4B5Zi72qd9X0UxIhDVuSNf5WFwa635ugcO8iqSdySDrKZPbeuZ2T1x
    5hGueYA7b8z1NQXzGwRpVXAbyek9CHVyYBak1upQQzRkT8cyWiYeTSa3Ew46rpk2
    WngNkaA1McbjHUR90ToWnnbNeaA4RwY8UEJ4Gw0dSconYSw28Ws6raKzOKPgzZ0u
    qUt9CPwUU9tZw/25XWZVPPra5bLArFPE7EIWZUpJGG4Knq6EXVvt6g3UfVCW2HnS
    SxCI2szaPHxJzSWXS3/WNlhBtnezxtaOR0jStYzEzu735hLhdMna+7FGznDNylNo
    2e9vaWUQgQngxti9ZiExTaGl6dR/5z6t/HFH7izsTq8wMgMkTigzYQxnizkmv4NR
    hssvZM7TzZfuMA2vx1og
    =Qbfq
    -----END PGP SIGNATURE-----

[mnaberez]

So, I was search for vulnerabites in my work company and I founded supervisord, it's a good service but the user don't need authetication for view logs ou restart a service

Supervisor requires that a configuration file be created before supervisord can be started. It will not start without one. This project, Supervisor, only publishes Python packages to PyPI. Our packages do not include a configuration file.

Our packages only provide a command, echo_supervisord_conf, that prints an example configuration to stdout. The user must save that output to disk and then tailor it to the environment. The example configuration file printed by echo_supervisord_conf does not have the inet_http_server enabled.

Since the echo_supervisord_conf command was introduced in Supervisor 3.0a4 (released in 2008), it has included these lines:

;[inet_http_server]         ; inet (TCP) server disabled by default
;port=127.0.0.1:9001        ; ip_address:port specifier, *:port for all iface
;username=user              ; default is no username (open server)
;password=123               ; default is no password (open server)

The inet_http_server is not enabled unless the user decides to uncomment these lines. The user uncommenting these lines can choose to have it run as an open server by leaving the username= and password= commented out. It is clearly noted that the defaults are an open server. If authentication is not enabled, this message will be printed at the critical level every time supervisord starts:

2019-05-29 07:22:12,195 CRIT Server 'inet_http_server' running without any HTTP authentication checking

, this is a called a misconfiguration, because some people put this online and anyone can acess, and view logs e restart services
therefore I submmit to a CVE, they requered to contact the developer to see if will fix the bug and howmuch time is required needed to do.

• This project, Supervisor, only publishes Python packages to PyPI and those packages do not include a configuration file.
• supervisord requires a configuration file to start.
• Our packages do provide a tool, echo_supervisord_conf, that will print an example configuration to stdout.
• The example output of echo_supervisord_conf does not have the inet_http_server enabled.
• If the user enables inet_http_server but does not enable authentication, a message at the critical level is logged at startup letting them know.

I do not think this should have been a CVE. The ability to run an open server will not be removed because users often use it for local development. However, an additional warning message was added to the documentation.

Note: Supervisor is re-packaged for various distributions. Those packages are created by others who are not involved with the Supervisor project. Those packages may contain changes such as code modifications, init scripts, or included configuration files. We have no way to know what all the various third party packages do with regards to this issue, and only they can change their packages.