Publicly accessible “expvar metrics” resources exposed for Multiple Ministry of Justice's applications.

[JohnG-Cybersec]

Severity: Low Impact: Low Exploitability: Medium CVSS Base Score: 3.7 CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Vulnerability Type: Information disclosure

Target: We've had reports of the following domains being impactged : https://apps.alejandro.cloud-platform.service.justice.gov.uk/debug/vars https://apps.api-latency.cloud-platform.service.justice.gov.uk/debug/vars https://apps.autoscaler.cloud-platform.service.justice.gov.uk/debug/vars https://apps.awsmetrics.cloud-platform.service.justice.gov.uk/debug/vars https://apps.ale-kops.cloud-platform.service.justice.gov.uk/debug/vars https://apps.ale.cloud-platform.service.justice.gov.uk/debug/vars https://apps.ale-test.cloud-platform.service.justice.gov.uk/debug/vars https://apps.ale-1.cloud-platform.service.justice.gov.uk/debug/vars https://apps.big.cloud-platform.service.justice.gov.uk/debug/vars https://apps.certman-repo.cloud-platform.service.justice.gov.uk/debug/vars https://apps.cloud-platform.service.justice.gov.uk/debug/vars https://apps.cm.cloud-platform.service.justice.gov.uk/debug/vars https://apps.conc-3.cloud-platform.service.justice.gov.uk/debug/vars https://apps.concourse-op.cloud-platform.service.justice.gov.uk/debug/vars https://apps.cosito.cloud-platform.service.justice.gov.uk/debug/vars https://apps.cortex.cloud-platform.service.justice.gov.uk/debug/vars https://apps.cp-0104-1339.cloud-platform.service.justice.gov.uk/debug/vars https://apps.cp-0104-1719.cloud-platform.service.justice.gov.uk/debug/vars https://apps.cp-0107-1416.cloud-platform.service.justice.gov.uk/debug/vars https://apps.cp-0112-1439.cloud-platform.service.justice.gov.uk/debug/vars https://apps.cp-0203-1357.cloud-platform.service.justice.gov.uk/debug/vars https://apps.cp-0203-1426.cloud-platform.service.justice.gov.uk/debug/vars https://apps.jb-test-17.cloud-platform.service.justice.gov.uk/debug/vars https://apps.jb-test-10.cloud-platform.service.justice.gov.uk/debug/vars https://apps.jb-test-1.cloud-platform.service.justice.gov.uk/debug/vars https://apps.jb-test4.cloud-platform.service.justice.gov.uk/debug/vars https://apps.ingress01.cloud-platform.service.justice.gov.uk/debug/vars https://apps.jb-test-5.cloud-platform.service.justice.gov.uk/debug/vars https://apps.jb-test-01.cloud-platform.service.justice.gov.uk/debug/vars https://apps.jb-test2.cloud-platform.service.justice.gov.uk/debug/vars https://apps.jb-test-12.cloud-platform.service.justice.gov.uk/debug/vars https://apps.jb-test-19.cloud-platform.service.justice.gov.uk/debug/vars https://apps.xx-0202-0101.cloud-platform.service.justice.gov.uk/debug/vars https://apps.xx-0203-0100.cloud-platform.service.justice.gov.uk/debug/vars https://apps.xx-0204-0001.cloud-platform.service.justice.gov.uk/debug/vars https://apps.xx-0210-0000.cloud-platform.service.justice.gov.uk/debug/vars https://apps.xx-0205-0001.cloud-platform.service.justice.gov.uk/debug/vars https://apps.xx-0207-0001.cloud-platform.service.justice.gov.uk/debug/vars https://apps.xx-0209-0001.cloud-platform.service.justice.gov.uk/debug/vars https://apps.xx-0310-0001.cloud-platform.service.justice.gov.uk/debug/vars https://apps.xx-0302-0100.cloud-platform.service.justice.gov.uk/debug/vars https://bitnami.apps.vij-gitops.cloud-platform.service.justice.gov.uk/debug/vars https://bitnamo.vijay-test1.cloud-platform.service.justice.gov.uk/debug/vars https://cert-apply-1.manager.cloud-platform.service.justice.gov.uk/debug/vars https://cert-apply-10.vv-cm-module.cloud-platform.service.justice.gov.uk/debug/vars https://cert-apply-10.pk-vel.cloud-platform.service.justice.gov.uk/debug/vars https://cert-apply-10.vv-cm-upg.cloud-platform.service.justice.gov.uk/debug/vars

Impact: Any user may be able to navigate the above target “expvar metrics” endpoints, as no credentials are required to access the webpages. These publicly available pages may allow an attacker to retrieve internal information about the application and use it for more sophisticated attacks.

Description: Multiple sites belonging to Ministry of Justice, appear to host a publicly accessible debugging Golang “expvar metrics” pages, deployed at the target instances. These “expvar metrics” resources appear to be monitoring pages with the aim of helping the application's administrators and developers to debug the application. However, the researcher identified that the target applications are publicly accessible. When the user browses to the aforementioned URLs, they are granted access to the debugging information produced by the Go runtime environment, and memory allocation information. This information may give an attacker insight into the applications’ structure, allowing them to craft further attacks targeted towards the languages and frameworks which are in use by the applications. Steps to Reproduce:

Browse to each of the target instances (e.g., https://apps.concourse-op.cloud-platform.service.justice.gov.uk/debug/vars).
Observe how certain server data is returned in the server's HTTP response.

Recommendation (from NCSC) Ensure that the target applications’ “expvar metrics” resources are accessible only by authenticated users with appropriate privileges/roles within the application, or removed from the application entirely if its presence is not required.

[AntonyBishop]

This only relate to test clusters. These do not relate to any services on the Cloud Platform. Many of these are temporary and periodically destroyed. Due to the low impact and likelihood associated with this risk we are content to accept the risk.