9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
0.001 Low
EPSS
Percentile
46.4%
Netdata is an open source option for real-time infrastructure monitoring
and troubleshooting. Each Netdata Agent has an automatically generated
MACHINE GUID. It is generated when the agent first starts and it is saved
to disk, so that it will persist across restarts and reboots. Anyone who
has access to a Netdata Agent has access to its MACHINE_GUID. Streaming is
a feature that allows a Netdata Agent to act as parent for other Netdata
Agents (children), offloading children from various functions (increased
data retention, ML, health monitoring, etc) that can now be handled by the
parent Agent. Configuration is done via stream.conf
. On the parent side,
users configure in stream.conf
an API key (any random UUID can do) to
provide common configuration for all children using this API key and per
MACHINE GUID configuration to customize the configuration for each child.
The way this was implemented, allowed an attacker to use a valid
MACHINE_GUID as an API key. This affects all users who expose their Netdata
Agents (children) to non-trusted users and they also expose to the same
users Netdata Agent parents that aggregate data from all these children.
The problem has been fixed in: Netdata agent v1.37 (stable) and Netdata
agent v1.36.0-409 (nightly). As a workaround, do not enable streaming by
default. If you have previously enabled this, it can be disabled. Limiting
access to the port on the recipient Agent to trusted child connections may
mitigate the impact of this vulnerability.