node_exporter -- bypass security with cache poisoning
Prometheus team reports:
Prometheus and its exporters can be secured by a web.yml file that
specifies usernames and hashed passwords for basic authentication.
Passwords are hashed with bcrypt, which means that even if you have
access to the hash, it is very hard to find the original password
back. Passwords are hashed with bcrypt, which means that even if you
have access to the hash, it is very hard to find the original
password back. However, a flaw in the way this mechanism was
implemented in the exporter toolkit makes it possible with people
who know the hashed password to authenticate against Prometheus.
A request can be forged by an attacker to poison the internal cache
used to cache the computation of hashes and make subsequent requests
successful. This cache is used in both happy and unhappy scenarios
in order to limit side channel attacks that could tell an attacker
if a user is present in the file or not.
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright