Headline
CVE-2020-21514: There is a remote command execution vulnerability on version 0.12-1.0 · Issue #295 · fluent/fluentd-ui
An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2 allows attackers to gain escilated privlidges and execute arbitrary code due to a default password.
vulnerability info
After the default deployment of Fluentd-ui, it is not mandatory to change the password and there is a default password.
$ sudo /usr/sbin/td-agent-ui start
Puma 2.9.2 starting...
* Min threads: 0, max threads: 16
* Environment: production
* Listening on tcp://0.0.0.0:9292
Then, open http://localhost:9292/ by your browser.
The default account is username="admin" and password="changeme"
And there is a built-in command execution plug-in for flund. Therefore, in the case of replacement after deployment, there is a remote command execution vulnerability.
in_exec is included in Fluentd's core. No additional installation process is required.
<source>
@type exec
command cmd arg arg
keys k1,k2,k3
tag_key k1
time_key k2
time_format %Y-%m-%d %H:%M:%S
run_interval 10s
</source>
Many products have the same function,but security by default
such as:
SQL Server xp_cmdshell
Permissions Because malicious users sometimes attempt to elevate their privileges by using xp_cmdshell, xp_cmdshell is disabled by default. Use sp_configure or Policy Based Management to enable it. For more information, see xp_cmdshell Server Configuration Option.
When first enabled, xp_cmdshell requires CONTROL SERVER permission to execute and the Windows process created by xp_cmdshell has the same security context as the SQL Server service account. The SQL Server service account often has more permissions than are necessary for the work performed by the process created by xp_cmdshell. To enhance security, access to xp_cmdshell should be restricted to highly privileged users.
- huginn
Security recommendations
By default, security should adhere to the default security principles.
- First, the in_exec Input plugin should be disabled by default. If the user actually uses the function, it should be turned on separately. This can protect all users who do not use the function
- In addition, the login password should be randomly generated or changed after the first login.