[Project 25499] Is your Supervisor web interface is open?

At Project 25499, one of our core missions is to identify vulnerabilities that may be found on publicly accessible hosts and assess their potential scope. During a recent upgrade, we came across a great blog post about some advanced features of Supervisord.

Screenshot from supervisor blog post

The above screenshot from the blog post details a configuration option for enabling an HTTP frontend. This feature is enabled by adding the following to the /etc/supervisor/supervisord.conf :

[inet_http_server]
port = 9001

The blog posts by default includes a username and password option, however, if this is omitted, supervisor will still start the frontend and allow for access without authorization. From this interface, an administrator can do some basic process management (stop / start / restart) and view the associated logs.

On the 22nd of August 2016, we began a HTTP scan of the IPv4 space for port 9001. The results from the scan were outstanding; the following screenshot was from the processing of the data [First two octets of the IPs have been redacted]:

Screenshot of search results

In total, 854 unique hosts were identified that were showing the “Supervisor Status” title, with a total of 3233 services collectively. Geo-mapping of the hosts produces the following image:

Geo location of vulnerable hosts

Following is a list of the most common services observed:

# ServiceName
308 sendmail
 36 datadog-agent:jmxfetch
 36 datadog-agent:forwarder
 36 datadog-agent:dogstatsd
 36 datadog-agent:collector
 30 nginx
 22 datadog-agent:go-metro
 19 relaysvr
 13 storm-supervisor
 13 sshd

With the most common service, at 9.5 %, being sendmail, it suggests that there is either a guide or shared configuration being propagated. Initial searching shows this configuration may be either within a Docker image or a GitHub project, however, a specific source has not been identified.

As a good rule to live by, always ensure you read / verify the configuration files you deploy and always audit your hosts before you deploy them to the open IPv4 internet.