[Project 25499] Is your Supervisor web interface is open?

At Project 25499, one of our core missions is to identify vulnerabilities that may be found on publicly accessible hosts and assess their potential scope. During a recent upgrade, we came across a great blog post about some advanced features of Supervisord.

Image for post
Image for post
Screenshot from supervisor blog post

The above screenshot from the blog post details a configuration option for enabling an HTTP frontend. This feature is enabled by adding the following to the /etc/supervisor/supervisord.conf :

port = 9001

The blog posts by default includes a username and password option, however, if this is omitted, supervisor will still start the frontend and allow for access without authorization. From this interface, an administrator can do some basic process management (stop / start / restart) and view the associated logs.

On the 22nd of August 2016, we began a HTTP scan of the IPv4 space for port 9001. The results from the scan were outstanding; the following screenshot was from the processing of the data [First two octets of the IPs have been redacted]:

Image for post
Image for post
Screenshot of search results

In total, 854 unique hosts were identified that were showing the “Supervisor Status” title, with a total of 3233 services collectively. Geo-mapping of the hosts produces the following image:

Image for post
Image for post
Geo location of vulnerable hosts

Following is a list of the most common services observed:

# ServiceName
308 sendmail
36 datadog-agent:jmxfetch
36 datadog-agent:forwarder
36 datadog-agent:dogstatsd
36 datadog-agent:collector
30 nginx
22 datadog-agent:go-metro
19 relaysvr
13 storm-supervisor
13 sshd

With the most common service, at 9.5 %, being sendmail, it suggests that there is either a guide or shared configuration being propagated. Initial searching shows this configuration may be either within a Docker image or a GitHub project, however, a specific source has not been identified.

As a good rule to live by, always ensure you read / verify the configuration files you deploy and always audit your hosts before you deploy them to the open IPv4 internet.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store