<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Voiding CVE-2020-16248
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 8 Aug 2020 14:17:04 -0400
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Sat, Aug 8, 2020 at 1:46 PM Bastian Blank <bblank () thinkmo de> wrote:
Hi Richard
On Sat, Aug 08, 2020 at 10:49:14AM +0200, Richard Hartmann wrote:
the Prometheus project[1] has received a public "vulnerability"
report[2] against what the reporter called SSRF, but what is the core
functionality of blackbox_exporter[3]: The ability to trigger network
probes over the network to monitor a target's availability.
Could you please explain yourself why you think this is not a
vulnerability? Even wanted functuality can constitute a vulnerability
if looked on closer.
The software allows to send pre-defined requests to arbitrary targets
and extract at least parts of the response. This is a typical SSRF.
Would you require to specify the allowed targets, noone would ask.
ICMP and the root user requirement makes blackbox_exporter a good target.
It also looks like a confused deputy to me, which also makes it a
privilege escalation.
Naively, it looks like a feature that provides an attacker
reconnaissance capabilities and allows network enumeration.
Jeff
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Voiding CVE-2020-16248 Richard Hartmann (Aug 08)
Re: Voiding CVE-2020-16248 Hanno Böck (Aug 08)
Re: [prometheus-team] Voiding CVE-2020-16248 Bartłomiej Płotka (Aug 08)
Re: [prometheus-team] Voiding CVE-2020-16248 Julien Pivotto (Aug 08)
Re: Voiding CVE-2020-16248 Sylvain Beucler (Aug 08)
Re: Voiding CVE-2020-16248 Richard Hartmann (Aug 09)
Re: Voiding CVE-2020-16248 Bastian Blank (Aug 08)
Re: Voiding CVE-2020-16248 Jeffrey Walton (Aug 08)
Re: Voiding CVE-2020-16248 Richard Hartmann (Aug 09)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->