[haproxy] HAProxy Admin Console - Unencrypted Submission of Credentials

[claco]

This is from the internal security review recommendations.

Severity: Medium

Description / Exploit: The HAProxy Admin Console interface transmits sensitive or security-critical data (admin password) in cleartext in a communication channel that can be sniffed by unauthorized actors.

Impact: Anyone can read the information by gaining access to the channel being used for communication.

Systems Vulnerable: http://198.101.133.248:8040/stats

Suggested Mitigation: Encrypt the data with a reliable encryption scheme before transmitting (SSL, TLS).

Further References: http://cwe.mitre.org/data/definitions/319.html https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

This will likely require attribute default changes, http -> https upgrade testing, https client cert/bundle testing (see other open issues around https and client certs), and changes to novarc files, monitoring/monit checks.

Affects:

cookbooks/haproxy/attributes/default.rb
20:default["haproxy"]["admin_port"] = 8040

cookbooks/haproxy/metadata.rb
23:  :default => "8040"

cookbooks/keepalived/metadata.rb
21:  :default => "8040"
69:  :default => "8040"

[odyssey4me]

Maybe we should disable the web interface and gather stats through the socket instead? http://tech.fawk.eu/111/

There doesn't appear to be a native way that haproxy can expose the stats interface via HTTPS/TLS. Another option (if the interface is really that useful) would be to make it only listen on localhost and to reverse proxy it through Apache/nginx.