fix: fp on metadata service check templates

main
Muhammad Daffa 2024-08-15 18:55:02 +07:00
parent 1e0af9fab0
commit 09abc526fa
8 changed files with 49 additions and 26 deletions

View File

@ -9,7 +9,7 @@ id: metadata-service-alibaba
# inside the private network. # inside the private network.
info: info:
name: Alibaba Metadata Service Check name: Alibaba Metadata Service Check
author: sullo author: sullo,daffainfo
severity: critical severity: critical
description: The Alibaba host is configured as a proxy which allows access to the metadata service. This could allow significant access to the host/infrastructure. description: The Alibaba host is configured as a proxy which allows access to the metadata service. This could allow significant access to the host/infrastructure.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
@ -28,7 +28,7 @@ info:
http: http:
- raw: - raw:
- |+ - |+
GET http://{{hostval}}/dynamic/instance-identity/document HTTP/1.1 GET http://{{hostval}}/latest/meta-data HTTP/1.1
Host: {{hostval}} Host: {{hostval}}
payloads: payloads:
@ -40,6 +40,10 @@ http:
- type: word - type: word
part: body part: body
words: words:
- "vpc-id"
- "vswitch-cidr-block"
- "vswitch-id"
- "zone-id" - "zone-id"
condition: and
# digest: 490a004630440220495fde6b8e524846446e53dead7f589f22c254d0ca7b6e09e07210469773749f0220264d2180b4589c8663f68bab544d951ad739fae7f3b6dccaaacee29718cb4778:922c64590222798bb761d5b6d8e72950 # digest: 490a004630440220495fde6b8e524846446e53dead7f589f22c254d0ca7b6e09e07210469773749f0220264d2180b4589c8663f68bab544d951ad739fae7f3b6dccaaacee29718cb4778:922c64590222798bb761d5b6d8e72950

View File

@ -9,7 +9,7 @@ id: metadata-service-aws
# inside the private network. # inside the private network.
info: info:
name: Amazon AWS Metadata Service Check name: Amazon AWS Metadata Service Check
author: sullo,DhiyaneshDk author: sullo,DhiyaneshDk,daffainfo
severity: critical severity: critical
description: The host is configured as a proxy which allows access to the metadata provided by a cloud provider such as AWS or OVH. This could allow significant access to the host/infrastructure. description: The host is configured as a proxy which allows access to the metadata provided by a cloud provider such as AWS or OVH. This could allow significant access to the host/infrastructure.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
@ -44,8 +44,10 @@ http:
- type: word - type: word
part: body part: body
words: words:
- "public-ipv4" - "ami-id"
- "privateIp" - "ami-launch-index"
condition: or - "ami-manifest-path"
- "instance-id"
condition: and
# digest: 4b0a00483046022100aaea6b60c84ab81c627ae7f0e712e68c83ca1f2deda1ad5b7d59be164e096642022100837009bd37d871f253921986b407d4b2b2a39619fcd568626a2a8b68e1fbcc25:922c64590222798bb761d5b6d8e72950 # digest: 4b0a00483046022100aaea6b60c84ab81c627ae7f0e712e68c83ca1f2deda1ad5b7d59be164e096642022100837009bd37d871f253921986b407d4b2b2a39619fcd568626a2a8b68e1fbcc25:922c64590222798bb761d5b6d8e72950

View File

@ -9,7 +9,7 @@ id: metadata-service-azure
# inside the private network. # inside the private network.
info: info:
name: Microsoft Azure Cloud Metadata Service Check name: Microsoft Azure Cloud Metadata Service Check
author: sullo author: sullo,daffainfo
severity: critical severity: critical
description: The Microsoft Azure cloud host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure. description: The Microsoft Azure cloud host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
@ -41,8 +41,10 @@ http:
- type: word - type: word
part: body part: body
words: words:
- "osType" - '"azEnvironment"'
- "ipAddress" - '"customData"'
- '"evictionPolicy"'
- '"licenseType"'
condition: and condition: and
# digest: 4a0a00473045022100b9784f2e42de717877a1da43b204db4fca5e90dea3180d2fda2291e8a8b326d8022050cf70789f494c1a2114b09a24c9be94cdd6d9474d4cb6daf4a4d39b9e4751bd:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100b9784f2e42de717877a1da43b204db4fca5e90dea3180d2fda2291e8a8b326d8022050cf70789f494c1a2114b09a24c9be94cdd6d9474d4cb6daf4a4d39b9e4751bd:922c64590222798bb761d5b6d8e72950

View File

@ -9,7 +9,7 @@ id: metadata-service-digitalocean
# inside the private network. # inside the private network.
info: info:
name: DigitalOcean Metadata Service Check name: DigitalOcean Metadata Service Check
author: sullo author: sullo,daffainfo
severity: critical severity: critical
description: The DigitalOcean host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure. description: The DigitalOcean host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
@ -41,5 +41,10 @@ http:
part: body part: body
words: words:
- "droplet_id" - "droplet_id"
- "hostname"
- "vendor_data"
- "public_keys"
- "region"
condition: and
# digest: 4a0a00473045022100c880c7f7c620f95f5581c95773d568904fba4e16bc6a142e4af79941a8e5c6d7022042599d46c091e617c90aef88b0452165506392a8cf9087180c40f8f3f05bfebe:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100c880c7f7c620f95f5581c95773d568904fba4e16bc6a142e4af79941a8e5c6d7022042599d46c091e617c90aef88b0452165506392a8cf9087180c40f8f3f05bfebe:922c64590222798bb761d5b6d8e72950

View File

@ -41,6 +41,9 @@ http:
- type: word - type: word
part: body part: body
words: words:
- "attributes/" - "instance/"
- "oslogin/"
- "project/"
condition: and
# digest: 4a0a00473045022100b1826497b2bd96a52b296f4be8780cd3f16c8082b4c661edc67c2eea7ec87a2d022008e42eecdfa425df28fe4a437dc7a5c04c5d7aed67b580ddbd8ec7b11491404c:922c64590222798bb761d5b6d8e72950 # digest: 4a0a00473045022100b1826497b2bd96a52b296f4be8780cd3f16c8082b4c661edc67c2eea7ec87a2d022008e42eecdfa425df28fe4a437dc7a5c04c5d7aed67b580ddbd8ec7b11491404c:922c64590222798bb761d5b6d8e72950

View File

@ -9,7 +9,7 @@ id: metadata-service-hetzner
# inside the private network. # inside the private network.
info: info:
name: Hetzner Cloud Metadata Service Check name: Hetzner Cloud Metadata Service Check
author: sullo author: sullo,daffainfo
severity: critical severity: critical
description: The Hetzner Cloud host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure. description: The Hetzner Cloud host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
@ -17,6 +17,7 @@ info:
- https://docs.hetzner.cloud/#server-metadata - https://docs.hetzner.cloud/#server-metadata
- https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/ - https://blog.projectdiscovery.io/abusing-reverse-proxies-metadata/
- https://www.mcafee.com/blogs/enterprise/cloud-security/how-an-attacker-could-use-instance-metadata-to-breach-your-app-in-aws/ - https://www.mcafee.com/blogs/enterprise/cloud-security/how-an-attacker-could-use-instance-metadata-to-breach-your-app-in-aws/
- https://docs.hetzner.cloud
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
cvss-score: 9.3 cvss-score: 9.3
@ -41,8 +42,8 @@ http:
part: body part: body
words: words:
- "alias_ips:" - "alias_ips:"
- "local-ipv4:" - "mac_address:"
- "instance-id:" - "network_id:"
condition: or condition: and
# digest: 4a0a0047304502207cf3fa7f173714c4d46c9d7443fc19477aff56e43e8fbf3ec92c74fa6d447bc8022100899653a9610331f9197f0f7a191c190f11ec9fbb60ea75ab0dad2f9d5738c4cc:922c64590222798bb761d5b6d8e72950 # digest: 4a0a0047304502207cf3fa7f173714c4d46c9d7443fc19477aff56e43e8fbf3ec92c74fa6d447bc8022100899653a9610331f9197f0f7a191c190f11ec9fbb60ea75ab0dad2f9d5738c4cc:922c64590222798bb761d5b6d8e72950

View File

@ -8,7 +8,7 @@ id: metadata-service-openstack
# inside the private network. # inside the private network.
info: info:
name: Openstack Metadata Service Check name: Openstack Metadata Service Check
author: sullo author: sullo,daffainfo
severity: critical severity: critical
description: The Openstack host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure. description: The Openstack host is configured as a proxy which allows access to the instance metadata service. This could allow significant access to the host/infrastructure.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
@ -39,6 +39,9 @@ http:
- type: word - type: word
part: body part: body
words: words:
- "meta_data.json"
- "user_data"
- "vendor_data.json" - "vendor_data.json"
condition: and
# digest: 490a0046304402201114388120943546bb32c03289955b8e2df3660ab5a403d294519ec91336a57502207c799b2ab3c6b4fb310cba35dab6d548a0d1e160f203359a387cc8f9f3fe8eab:922c64590222798bb761d5b6d8e72950 # digest: 490a0046304402201114388120943546bb32c03289955b8e2df3660ab5a403d294519ec91336a57502207c799b2ab3c6b4fb310cba35dab6d548a0d1e160f203359a387cc8f9f3fe8eab:922c64590222798bb761d5b6d8e72950

View File

@ -9,7 +9,7 @@ id: metadata-service-oracle
# inside the private network. # inside the private network.
info: info:
name: Oracle Cloud Metadata Service Check name: Oracle Cloud Metadata Service Check
author: sullo author: sullo,daffainfo
severity: critical severity: critical
description: The Oracle cloud host is configured as a proxy which allows access to the instance metadata IMDSv1 service. This could allow significant access to the host/infrastructure. description: The Oracle cloud host is configured as a proxy which allows access to the instance metadata IMDSv1 service. This could allow significant access to the host/infrastructure.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible. remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports. Upgrade to IMDSv2 if possible.
@ -41,6 +41,9 @@ http:
- type: word - type: word
part: body part: body
words: words:
- "displayName"
- "shape"
- "availabilityDomain" - "availabilityDomain"
- "region"
# digest: 490a004630440220576757775bf5ad31380fc6e30e256b1e060702d0e79c7979012281d39150fb2d02203f3c6ed82cfe3d5eaaf268e86e1cfec2c358d4fa2dfd4b6f031214b251675d43:922c64590222798bb761d5b6d8e72950 condition: and
# digest: 490a004630440220576757775bf5ad31380fc6e30e256b1e060702d0e79c7979012281d39150fb2d02203f3c6ed82cfe3d5eaaf268e86e1cfec2c358d4fa2dfd4b6f031214b251675d43:922c64590222798bb761d5b6d8e72950