IaaS External Pentesting (Gray-Box)

[90n20]

Assessing the security of SCS cloud-based infrastructure components within a testbed deployment. This will be done from a Gray-box perspective, simulating an attacker with partial knowledge about the target system. (Related to #391)

Tasks

• [x] Planning and Preparation
• [x] Reconnaissance & Information Gathering
• [x] Enumeration & Service Discovery
• [x] Vulnerability scanning and Analysis
• [x] Exploitation
• [x] Data and Resources exposure
• [x] Documentation & Reporting

[90n20]

We have finished with the external testing of a deployed testbed environment through its internet facing IP address.

As this was our first touch with the SCS ecosystem, we spent some time going across the documentation and how to setup a testbed at PlusServer to start our work.

Several ports were found to be opened to the wild with no restrictions, apart from the expected 22 (ssh) and wireguard (51820), which lead to internal information disclosure to unauthenticated users through the following services:

• 80
• 443
• 6443
• 7472 - metrics
• 8000 - swagger api
• 8122
• 9091 - prometheus
• 9093 - alertmanager/node exporter/metrics
• 9100 - node exporter/metrics
• 9198 - node exporter/metrics
• 10250
• 18080 - cadvisor/metrics
• 24231 - metrics

A security advisory was created in order to discuss and solve this exposure (only visible to authorized members) which was solved with the ossism PR https://github.com/osism/terraform-base/pull/12, adjusting OpenStack security group settings.

Also a CVE was found and reported to security@scs.community do to its severity.

[90n20]

All findings related to this issue have been already reported through security advisories.