AI PRP: Request misconfigured/exposed Airflow config

[maoning]

Reference: https://www.bleepingcomputer.com/news/security/misconfigured-apache-airflow-servers-leak-thousands-of-credentials/

Requires further research to look for the hardcoded credentials when expose_config is set to True. Then use the exposed credential to test for connection to postgreSQL db.

Please read the rules of engagement first at https://github.com/google/tsunami-security-scanner-plugins/issues/409.

[am0o0]

@maoning please assign this PRP to me, I want to focus on airflow. I can definitely implement airflow-related plugins faster because of my current airflow plugin.

[frkngksl]

Hi @maoning, I may also take this one since my current PR is merged. I guess you assigned another issue for am0o0.

[secureness]

@maoning you didn't assign any of the AI PRPs that you created initially to me, could you please at least assign this one to me? I see that both @frkngksl and @am0o0 already had one AI PRP from your PRPs. it is not fair because I did my research and submitted some extra AI PRPs you didn't assign me one of the initial AI PRPs. I'm despondent about this.

[frkngksl]

Submitting extra things doesn't give you a right to get extra ones. Rules are clear. You can request one after your PR is merged, and I'm doing this right now. I checked the issues and PR parts, and saw that you have active two PRP's one for PAN-os and other one is a RCE for VMware. You already have more PRPs than the rules allow. Also, there is no difference between your submissions and maoning submitted PRPs. You should focus on your PAN-OS PRP right now instead of tracking other people's requests.

[maoning]

Currently everyone has something in your queue. Whoever clears their queue first can post here again for assignment.

[joernNNN]

Ouch!, two of my first PRPs have been rejected and I didn't notice the "help wanted" tag for this issue :-) and after all, for the other two remaining ones, you haven't decided to accept it yet.

@maoning @tooryx Would you please let me handle this?

[joernNNN]

@tooryx @maoning all of my PRPs have been rejected except one which is not finalized yet. would you mind if I start working on this AI PRP which already is ready and no need for further confirmation from you, please?

[tooryx]

Hi, I will discuss this with the rest of the team and let you know.

~tooryx

[tooryx]

Hi @joernNNN,

Thank you for picking up this request! Please make sure the following items are completed before the plugin implementation:

• [ ] Conduct vulnerability research with a brief description of how the plugin would work
• [ ] Submit the vulnerable configuration of the target application to google/security-testbeds.

[joernNNN]

OK, @tooryx sorry for the delay. With some changes on the airflow webserver configuration, We can get a full PostgreSQL or MySQL DBs connection URL like the example below from the http://airflow/configuration. We also need to enable anonymous access since we need to log in to the airflow web server to see the configuration.

I can try to connect to both MySQL and PostgreSQL with exposed DB URLs.

[tooryx]

Hi @joernNNN,

I will discuss this with the rest of the team, but I personally think that trying to extract the SQL URI and automatically trying to connect to it won't be a scalable method over time. I would argue that:

1. A first-level implementation could be to just try to extract known fields from the configuration to confirm the vulnerability;
2. If anything allow further compromise of the instance (directly within airflow), use that to dig deeper with the plugin.

Let me know your thoughts. ~tooryx

[tooryx]

We are still discussing this one internally, please work on the weak credential one in the meantime.

[YuriyPobezhymov]

@tooryx, have a questions. Can this airflow detector plugin utilize generic weak credential ability with related AirflowCredentialTester - #521. Is there some interconnection, that can be used in this plugin? User must be authenticated to be able to see airflow.cfg when expose_config activated. Note: it seems AirflowCredentialTester support only airflow 2.x yet, so it needs to be updated soon. Also what is the cost for this plugin?

[tooryx]

Hi @YuriyPobezhymov,

Unfortunately, there is currently no interaction possible between the two plugins, especially since the order in which plugins are run cannot be guaranteed. I will check with the rest of the team on how to proceed.

~tooryx