=====================================================================

                                CERT-Renater

                    Note d'Information No. 2022/VULN437

_____________________________________________________________________

DATE                : 29/11/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Prometheus exporter-toolkit
                          versions prior to 0.7.2, 0.7.3, 0.8.2.

=====================================================================
https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p
_____________________________________________________________________

Basic authentication bypass
High	roidelapluie published GHSA-7rg2-cxvp-9p7p

Package
  github.com/prometheus/exporter-toolkit (Go)

Affected versions
< 0.7.2, 0.8.0, 0.8.1

Patched versions
0.7.2, 0.7.3, 0.8.2


Description

Impact
Prometheus and its exporters can be secured by a web.yml file that
specifies usernames and hashed passwords for basic authentication.

Passwords are hashed with bcrypt, which means that even if you have
access to the hash, it is very hard to find the original password
back.

However, a flaw in the way this mechanism was implemented in the
exporter toolkit makes it possible with people who know the hashed
password to authenticate against Prometheus.

A request can be forged by an attacker to poison the internal cache
used to cache the computation of hashes and make subsequent requests
successful. This cache is used in both happy and unhappy scenarios
in order to limit side channel attacks that could tell an attacker
if a user is present in the file or not.


Patches
The exporter-toolkit v0.7.2 and v0.8.2 have been released to address
this issue.


Workarounds
There is no workaround but attacker must have access to the hashed
password, stored in disk, to bypass the authentication.


Credit
We want to thank Lei Wan reporting this security issue.


Severity
High

7.2/ 10

CVSS base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
High

User interaction
None

Scope
Unchanged

Confidentiality
High

Integrity
High

Availability
High

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2022-46146

Weaknesses
CWE-303

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================