=====================================================================

                                CERT-Renater

                    Note d'Information No. 2022/VULN447

_____________________________________________________________________

DATE                : 06/12/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):Systems running prometheus (Go), prometheus/v2 (Go)
                                versions prior to 2.37.4, 2.40.4.

=====================================================================
https://github.com/advisories/GHSA-4v48-4q5m-8vx4
_____________________________________________________________________


Prometheus vulnerable to basic authentication bypass
High severity GitHub Reviewed


Vulnerability details

Package
  github.com/prometheus/prometheus (Go)

Affected versions
 > = 2.24.1, < 2.37.4
 > = 2.38.0, < 2.40.4

Patched versions
2.37.4
2.40.4


Package
  github.com/prometheus/prometheus/v2 (Go)

Affected versions
 > = 2.24.1, < 2.37.4
 > = 2.38.0, < 2.40.4

Patched versions
2.37.4
2.40.4


Description

Impact

Prometheus can be secured by a web.yml file that specifies usernames
and hashed passwords for basic authentication.

Passwords are hashed with bcrypt, which means that even if you have
access to the hash, it is very hard to find the original password back.

However, a flaw in the way this mechanism was implemented in the
exporter toolkit makes it possible with people who know the hashed
password to authenticate against Prometheus.

A request can be forged by an attacker to poison the internal cache
used to cache the computation of hashes and make subsequent requests
successful. This cache is used in both happy and unhappy scenarios in
order to limit side channel attacks that could tell an attacker if a
user is present in the file or not.


Patches
Prometheus 2.37.4 (LTS) and 2.40.4 have been released to address this
issue.


Workarounds
There is no workaround but attacker must have access to the hashed
password, stored in disk, to bypass the authentication.


References
GHSA-4v48-4q5m-8vx4
prometheus/prometheus@31a2db3
https://github.com/prometheus/prometheus/releases/tag/v2.37.4
https://github.com/prometheus/prometheus/releases/tag/v2.40.4
@roidelapluie roidelapluie published the maintainer security advisory


Severity
High

7.2/ 10

CVSS base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
High

User interaction
None

Scope
Unchanged

Confidentiality
High

Integrity
High

Availability
High

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Weaknesses
CWE-303

CVE ID
No known CVE

GHSA ID
GHSA-4v48-4q5m-8vx4

Source code
github.com/prometheus/prometheus


See something to contribute? Suggest improvements for this
vulnerability.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================