oss-sec mailing list archives

Re: Voiding CVE-2020-16248

From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 8 Aug 2020 14:17:04 -0400

On Sat, Aug 8, 2020 at 1:46 PM Bastian Blank <bblank () thinkmo de> wrote:


Hi Richard

On Sat, Aug 08, 2020 at 10:49:14AM +0200, Richard Hartmann wrote:

the Prometheus project[1] has received a public "vulnerability"
report[2] against what the reporter called SSRF, but what is the core
functionality of blackbox_exporter[3]: The ability to trigger network
probes over the network to monitor a target's availability.


Could you please explain yourself why you think this is not a
vulnerability?  Even wanted functuality can constitute a vulnerability
if looked on closer.

The software allows to send pre-defined requests to arbitrary targets
and extract at least parts of the response.  This is a typical SSRF.
Would you require to specify the allowed targets, noone would ask.


ICMP and the root user requirement makes blackbox_exporter a good target.

It also looks like a confused deputy to me, which also makes it a
privilege escalation.

Naively, it looks like a feature that provides an attacker
reconnaissance capabilities and allows network enumeration.

Jeff

Current thread:

Voiding CVE-2020-16248 Richard Hartmann (Aug 08)
- Re: Voiding CVE-2020-16248 Hanno Böck (Aug 08)
- Re: [prometheus-team] Voiding CVE-2020-16248 Bartłomiej Płotka (Aug 08)
  - Re: [prometheus-team] Voiding CVE-2020-16248 Julien Pivotto (Aug 08)
- Re: Voiding CVE-2020-16248 Sylvain Beucler (Aug 08)
  - Re: Voiding CVE-2020-16248 Richard Hartmann (Aug 09)
- Re: Voiding CVE-2020-16248 Bastian Blank (Aug 08)
  - Re: Voiding CVE-2020-16248 Jeffrey Walton (Aug 08)
  - Re: Voiding CVE-2020-16248 Richard Hartmann (Aug 09)