Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 8 Aug 2020 14:17:04 -0400
From: Jeffrey Walton <noloader@...il.com>
To: Bastian Blank <bblank@...nkmo.de>
Cc: oss-security@...ts.openwall.com
Subject: Re: Voiding CVE-2020-16248

On Sat, Aug 8, 2020 at 1:46 PM Bastian Blank <bblank@...nkmo.de> wrote:
>
> Hi Richard
>
> On Sat, Aug 08, 2020 at 10:49:14AM +0200, Richard Hartmann wrote:
> > the Prometheus project[1] has received a public "vulnerability"
> > report[2] against what the reporter called SSRF, but what is the core
> > functionality of blackbox_exporter[3]: The ability to trigger network
> > probes over the network to monitor a target's availability.
>
> Could you please explain yourself why you think this is not a
> vulnerability?  Even wanted functuality can constitute a vulnerability
> if looked on closer.
>
> The software allows to send pre-defined requests to arbitrary targets
> and extract at least parts of the response.  This is a typical SSRF.
> Would you require to specify the allowed targets, noone would ask.

ICMP and the root user requirement makes blackbox_exporter a good target.

It also looks like a confused deputy to me, which also makes it a
privilege escalation.

Naively, it looks like a feature that provides an attacker
reconnaissance capabilities and allows network enumeration.

Jeff

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.