[Project 25499] Is your Supervisor web interface is open?
At Project 25499, one of our core missions is to identify vulnerabilities that may be found on publicly accessible hosts and assess their potential scope. During a recent upgrade, we came across a great blog post about some advanced features of Supervisord.
The above screenshot from the blog post details a configuration option for enabling an HTTP frontend. This feature is enabled by adding the following to the /etc/supervisor/supervisord.conf :
port = 9001
The blog posts by default includes a username and password option, however, if this is omitted, supervisor will still start the frontend and allow for access without authorization. From this interface, an administrator can do some basic process management (stop / start / restart) and view the associated logs.
On the 22nd of August 2016, we began a HTTP scan of the IPv4 space for port 9001. The results from the scan were outstanding; the following screenshot was from the processing of the data [First two octets of the IPs have been redacted]:
In total, 854 unique hosts were identified that were showing the “Supervisor Status” title, with a total of 3233 services collectively. Geo-mapping of the hosts produces the following image:
Following is a list of the most common services observed:
With the most common service, at 9.5 %, being sendmail, it suggests that there is either a guide or shared configuration being propagated. Initial searching shows this configuration may be either within a Docker image or a GitHub project, however, a specific source has not been identified.
As a good rule to live by, always ensure you read / verify the configuration files you deploy and always audit your hosts before you deploy them to the open IPv4 internet.