How to enable STS to address CWE-693: Protection Mechanism Failure in node_exporter?

[Selvam Elangovan]

How to enable STS to address CWE-693: Protection Mechanism Failure in node_exporter?  

[b.ca...@pobox.com]

node_exporter isn't accessed via a browser - it's accessed only from prometheus scrapes.

If you configure prometheus to scrape using https, then it will only use https. STS won't make any difference.

Furthermore, if you configure node_exporter to use TLS, then it will *only* serve TLS.  It doesn't provide separate http and https ports (like port 80 and port 443).  So STS doesn't make any sense.

[Selvam Elangovan]

Thanks. I am still confused.

Can we just configure Https in Prometheus for scrape to address cwe693 STS. 

Or

If we enable TLS in node exporter to fix STS vaulnerability.

Kindly clarify.

Thanks

Selvam E.

--
You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/faea5830-a516-4b68-9b81-40bdc863c9fbn%40googlegroups.com.

[b.ca...@pobox.com]

I'm guessing what's happened is:

1. You've run an (unnamed) security scanner against node_exporter

2. The scanner has come back with this message, telling you that node_exporter should return an STS header.

I'm saying that the scanner's conclusion is wrong. 

Firstly, node_exporter isn't a web server, and you don't connect to it with a web browser.

Secondly, I don't know how you have configured node_exporter, but it can either serve HTTP (default) or HTTPS (*), on one port that you select.  STS only makes sense for a website which has both HTTP and HTTPS endpoints, usually on the standard ports 80 and 443.  It tells the browser always to select the HTTPS endpoint, and to remember this fact.

node_exporter only provides one or the other, so (1) STS is meaningless, and (2) this is not a vulnerability in node_exporter.

If you've configured node_exporter on HTTP, then there's no HTTPS port for STS to prefer.  If you've configured node_exporter on HTTPS (and of course configured prometheus to scrape it on HTTPS), then there's no HTTP port for STS to stop you using.

Regards,

Brian.

(*) TLS is available in node_exporter 1.0.0+: you need to set --web.config to point to a file which contains the tlsConfig settings. See https://github.com/prometheus/node_exporter#tls-endpoint

A sample web.config file would look like this:

tlsConfig:

  tlsCertPath: /etc/prometheus/ssl/prom_node_cert.pem

  tlsKeyPath: /etc/prometheus/ssl/prom_node_key.pem

[Selvam Elangovan]

Perfect.  you are spot on.  Thanks for your inputs.  It helps us.

Thanks & Regards,

Selvam E.

--
You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/d9292b98-2cda-418f-a06d-da946c08a39fn%40googlegroups.com.

[Stuart Clark]

On 24/11/2020 17:30, b.ca...@pobox.com wrote:
> I'm guessing what's happened is:
> 1. You've run an (unnamed) security scanner against node_exporter
> 2. The scanner has come back with this message, telling you that
> node_exporter should return an STS header.
>
> I'm saying that the scanner's conclusion is wrong.
>
> Firstly, node_exporter isn't a web server, and you don't connect to it
> with a web browser.
>
> Secondly, I don't know how you have configured node_exporter, but it
> can either serve HTTP (default) or HTTPS (*), on one port that you
> select.  STS only makes sense for a website which has both HTTP and
> HTTPS endpoints, usually on the standard ports 80 and 443.  It tells
> the browser always to select the HTTPS endpoint, and to remember this
> fact.
>

Technically it does still offer advantages for HTTPS only websites, as
it would prevent people from accessing things at all if HTTP was
actually enabled (either the site switched from just HTTPS to dual or
just HTTP, or something else tried to use the HTTP port [assuming 80/443
for a normal website]) and you tried to access the site. Therefore it
prevents some future (possibly nefarious) change from tripping you up.

But as you say that is pretty much irrelevant as Prometheus doesn't read
or obey the STS headers anyway, and access from a normal web browser is
fairly unusual or short lived (e.g. temporary tests & debugging).

[Selvam Elangovan]

however we could still access the endpoint 9100 withhost name in webbrowser.  

I understand that Strict-Transport-Security is used on web server to redirect the http to https by inserting that information in header so that the client connect using https instead of http. 

How I can justify this with security scanner? any help appreciated.

[Selvam Elangovan]

this what we got in scan:

X-Content-Type-Options HTTP Header missing on port 9100.

X-Content-Type-Options HTTP Header missing on port 9100.

Kindly advice how we can address in node_exporter.

Thanks & Regards,

Selvam E.

[Ben Kochie]

The advice is to disable this scan, as it doesn't apply to the node_exporter. It is a false positive.

Blindly accepting security scanner messages as truth is the problem.

To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/CAKhb3rujvca2uBaHH%3DMZ6ELpfyqQQo%2BDWOE_Yt7V7KFOS9iFqw%40mail.gmail.com.

[b.ca...@pobox.com]

On Monday, 30 November 2020 at 05:43:10 UTC Selvam Elangovan wrote:

however we could still access the endpoint 9100 withhost name in webbrowser.  

Certainly. node_exporter acts either as a HTTP endpoint or a HTTPS endpoint, depending on whether you've enabled TLS on it or not, and therefore *can* be accessed from a browser.

When connecting from a browser, you'd use either http://example.com:9100/ or https://example.com:9100/ depending on how you configured node_exporter.  Only one of these will work.

 

I understand that Strict-Transport-Security is used on web server to redirect the http to https by inserting that information in header so that the client connect using https instead of http. 

But if you've configured node_exporter as a HTTP server, there's no HTTPS service to redirect *to*.  node_exporter only does one or the other.

How I can justify this with security scanner?

By documenting this as a false positive in your analysis of the scanner report.

[Selvam Elangovan]

Thanks for the quick response and clarification!

--

You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/e25b2a56-52f8-4afa-b572-9b955a965690n%40googlegroups.com.