PRP: CVE-2019-20933 InfluxDB Authentication Bypass

[secureness]

There are many instances of this DB on public data according to shodan So I'd like to write a plugin for detecting this Vulnerability.

The Docker images for tests are available at docker hub and also the great vulhub repository explained everything. I think it is not hard to implement this CVE with tsunami libraries.

[maoning]

Hi @secureness,

Thanks for your request! This vulnerability is in scope for the reward program. InfluxDB doesn't seem to have auth enabled by default either. Aside from the auth bypass mentioned in CVE-2019-20933, could you also test for missing authentication and generate a slightly different vulnerability (with different cause & description) if there's no auth in the first place?

Please submit our participation form and you can start working on the development.

Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have.

Thanks!

[secureness]

thanks for accepting my submission. I will try to check for missing authentication too.

[secureness]

Hi I wrote the plugin and its working with no problem. about conditional report, I don't know how can I do this! I wrote another isServiceVulnerable and buildDetectionReport methods with different name for detecting no authentication enabled. should I Just change DetectionReportList method? if yes can you give me an example that you have two instance of isServiceVulnerable and buildDetectionReport and you then you have a conditional steps for creating a appropriate report.

[maoning]

We probably don't have any conditional findings yet to serve as an example. You can break down the stream inside public DetectionReportList detect() method. The rough logic should look like:

1. Going through each service
2. Check if service is webservice and/or check if service name is equal to influxdb
3. Then first test for missing auth 4.1 If missing auth is true, then build a detection report for missing auth (buildMissingAuthDetectionReport()), and add the detection report to the detection report list

set the value of the VulnerabilityId to "MISSING_AUTHENTICATION_FOR_INFLUX_DB".

4.2 If missing auth is false, then try jwt payload and generate a different detection report (buildCve201920933DetectionReport()) and add it to the detection list.

set the value of the VulnerabilityId to "CVE_2019_20933".

[secureness]

here is

  @Override
  public DetectionReportList detect(
      TargetInfo targetInfo, ImmutableList<NetworkService> matchedServices) {
    logger.atInfo().log("CVE-2019-20933 starts detecting.");
    Builder detectionreport = DetectionReportList.newBuilder();
    matchedServices.stream()
        .filter(NetworkServiceUtils::isWebService).forEach(networkService -> {
          if (isServiceVulnerableByMissingAuth(networkService)) {
            detectionreport.addDetectionReports(
                buildMissingAuthDetectionReport(targetInfo, networkService));
          } else if ((isServiceVulnerableByCve201920933(networkService))) {
            detectionreport.addDetectionReports(
                buildCve201920933DetectionReport(targetInfo, networkService));
          }
        });
    return detectionreport.build();
  }

I tested it against my local ip that have both missing auth and cve instances of influxDB at different ports so it worked perfectly for me. Does it look good to you?