Headline
CVE-2023-32550: Bug #1929037 “Apache server-status is accessible after default i...” : Bugs : Landscape Server
Landscape’s server-status page exposed sensitive system information. This data leak included GET requests which contain information to attack and leak further information from the Landscape API.
Hi team!
Apache server-status page as usual contains sensitive information such as current hosts and requests being processed, the number of workers idle and service requests, and CPU utilization. Sometimes it may contain secret data for example API keys in the request path or URL to a private document stored in the server.
This endpoint is opened to everyone after Landscape installation using Quickstart deployment (https://docs.ubuntu.com/landscape/en/landscape-install-quickstart) or using Manual installation with a default config (https://docs.ubuntu.com/landscape/en/landscape-install-manual).
Apache conf:
…
RewriteCond %{REQUEST_URI} !^/server-status
…
Very small administrators restrict access to this endpoint after installation. You can see for yourself by using Shodan to search for Landscape servers and try to visit /server-status endpoint:
1. Login/Register to your Shodan account
2. Visit https://www.shodan.io/search?query=html%3A%22Welcome%21±+Landscape%22&page=1
3. Try to visit /server-status endpoint on found servers
Impact
An attacker can obtain information about requests which contain sensitive data (client IP addresses). Also, it may contain secret data for example API keys in the request path or URL to a private document stored in the server.
Mitigation
Restrict access to this endpoint from outside by default.