Solved

Cerebro http on port 2020 and security

  • 26 November 2019
  • 6 replies
  • 1976 views

Badge +1

Hi all,

 

A network security audit on a customer infrastructure reported a vulnerability on the cerebro http (port 2020) who is open on http in every CVM and without any security prompt.

Some sensitives informations are visible :

 - AOS version : el7.3-release-euphrates-5.10.7-stable-...

 - VM Names 

 - Protection Domain names 

 - Witness ip address  

 - ... 

 

Is there’s a way to secure this component ?

icon

Best answer by sbarab 27 November 2019, 17:54

@frederic_es So I checked further. Presently there is plan to provide further security for this port on future release of AOS (probably AOS 5.18, but this can be changed) , but one thing to note is that this port can only be accessed from the network of the cluster or the remote site, it is not available for any other networks, you will get permission denied.Let me know if you have further concerns.

View original

This topic has been closed for comments

6 replies

Userlevel 3
Badge +3

@frederic_es  It sounds like that your client does use Protection Domains,, if that is not the case you may be able to disable this port in the CVM firewall.

Was there a pointer to any specific CVE in that security report? 

Badge +1

hi,

 

@sbarab :

Yes it use Protection domains.

No it’s not a CVE related vulnerability. The report say just that an attaker can view some sensitive informations without any security. It says also that an attack of the type reflected XSS vulnerability (non persistent) can be possible with the PD parameter.

Userlevel 3
Badge +3

@frederic_es  I am still investigating this.  I Will get back to you as soon as I find relevant info.

Userlevel 3
Badge +3

@frederic_es So I checked further. Presently there is plan to provide further security for this port on future release of AOS (probably AOS 5.18, but this can be changed) , but one thing to note is that this port can only be accessed from the network of the cluster or the remote site, it is not available for any other networks, you will get permission denied.Let me know if you have further concerns.

Userlevel 3
Badge +3

@frederic_es if your cluster cvm do not have the rules to block it, you can actually add them there manfully so the communication is limited to the subnets where the remote and main clusters are in.  Hope this satisfy some security concerns of yours and your clients.

Badge +1

hi Sbarab,

 

thank you for all this informations. I will do some network testings and report this to the concerned person .