Is your Supervisor web interface is open?

At Project 25499, one of our core missions is to identify vulnerabilities that may be found on publicly accessible hosts and assess their potential scope. During a recent upgrade, we came across a great blog post about some advanced features of Supervisord.

Screenshot from supervisor blog post

The above screenshot from the blog post details a configuration option for enabling an HTTP frontend. This feature is enabled by adding the following to the /etc/supervisor/supervisord.conf :

port = 9001

The blog posts by default includes a username and password option, however, if this is omitted, supervisor will still start the frontend and allow for access without authorization. From this interface, an administrator can do some basic process management (stop / start / restart) and view the associated logs.

On the 22nd of August 2016, we began a HTTP scan of the IPv4 space for port 9001. The results from the scan were outstanding; the following screenshot was from the processing of the data [First two octets of the IPs have been redacted]:

Screenshot of search results

In total, 854 unique hosts were identified that were showing the “Supervisor Status” title, with a total of 3233 services collectively. Geo-mapping of the hosts produces the following image:

Geo location of vulnerable hosts

Following is a list of the most common services observed:

# ServiceName
308 sendmail
36 datadog-agent:jmxfetch
36 datadog-agent:forwarder
36 datadog-agent:dogstatsd
36 datadog-agent:collector
30 nginx
22 datadog-agent:go-metro
19 relaysvr
13 storm-supervisor
13 sshd

With the most common service, at 9.5 %, being sendmail, it suggests that there is either a guide or shared configuration being propagated. Initial searching shows this configuration may be either within a Docker image or a GitHub project, however, a specific source has not been identified.

As a good rule to live by, always ensure you read / verify the configuration files you deploy and always audit your hosts before you deploy them to the open IPv4 internet.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s