-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deny access to uploaded files #170
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Thanks much! |
mmguero
referenced
this pull request
in mmguero-dev/Malcolm
Jun 14, 2021
Merged
mmguero
added a commit
that referenced
this pull request
Jul 9, 2021
v3.1.1 development * New features * ["Best Guess" Fingerprinting for ICS Protocols](idaholab#49) - In an effort to help identify more ICS traffic, Malcolm can use "buest guess" method based on transport protocol (e.g., TCP or UDP) and port(s) to categorize potential traffic communicating over some ICS protocols without full parser support. This feature involves a [mapping table](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess_ics_map.txt) and a [Zeek script](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess.zeek) to look up the transport protocol and destination and/or source port to make a best guess at whether a connection belongs to one of those protocols. These potential ICS communications are categorized by vendor where possible. The list of ICS protocols' ports was adapted from various public sources, including, but not limited to, [Grassmarlin](https://github.com/nsacyber/GRASSMARLIN/tree/master/GM3/data/fingerprint)'s fingerprints and [ITI/ICS-Security-Tools](https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md)' list of Control Systems Ports. * Improvements and bug fixes * Allow configuring the number of concurrent requests for ClamAV scanning, Yara and Capa via environment variables (`CLAMD_MAX_REQUESTS`, `YARA_MAX_REQUESTS` and `CAPA_MAX_REQUESTS`) * Zeek plugins to detect [CVE-2021-31166](https://github.com/corelight/CVE-2021-31166) and [pingback](https://github.com/corelight/pingback) vulnerabilities * Move creation of custom fields and views to [Arkime's config.ini](https://arkime.com/settings#custom-fields) * LDAP bind credentials world readable in docker (idaholab#47 and #171) * Deny access to uploaded files (#170) * Version bumps * Yara to 4.1.1 * Zeek to 4.0.3 * Spicy to 1.1.0 * Alpine to 3.14 * NGINX to 1.20.1 * Linux kernel to 5.10 (for ISO installs) * urllib3 to 1.26.5 (#169)
mmguero
added a commit
to idaholab/Malcolm
that referenced
this pull request
Jul 9, 2021
Merge remote-tracking branch 'cisa/master' * New features * ["Best Guess" Fingerprinting for ICS Protocols](#49) - In an effort to help identify more ICS traffic, Malcolm can use "buest guess" method based on transport protocol (e.g., TCP or UDP) and port(s) to categorize potential traffic communicating over some ICS protocols without full parser support. This feature involves a [mapping table](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess_ics_map.txt) and a [Zeek script](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess.zeek) to look up the transport protocol and destination and/or source port to make a best guess at whether a connection belongs to one of those protocols. These potential ICS communications are categorized by vendor where possible. The list of ICS protocols' ports was adapted from various public sources, including, but not limited to, [Grassmarlin](https://github.com/nsacyber/GRASSMARLIN/tree/master/GM3/data/fingerprint)'s fingerprints and [ITI/ICS-Security-Tools](https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md)' list of Control Systems Ports. * Improvements and bug fixes * Allow configuring the number of concurrent requests for ClamAV scanning, Yara and Capa via environment variables (`CLAMD_MAX_REQUESTS`, `YARA_MAX_REQUESTS` and `CAPA_MAX_REQUESTS`) * Zeek plugins to detect [CVE-2021-31166](https://github.com/corelight/CVE-2021-31166) and [pingback](https://github.com/corelight/pingback) vulnerabilities * Move creation of custom fields and views to [Arkime's config.ini](https://arkime.com/settings#custom-fields) * LDAP bind credentials world readable in docker (#47 and cisagov#171) * Deny access to uploaded files (cisagov#170) * Version bumps * Yara to 4.1.1 * Zeek to 4.0.3 * Spicy to 1.1.0 * Alpine to 3.14 * NGINX to 1.20.1 * Linux kernel to 5.10 (for ISO installs) * urllib3 to 1.26.5 (cisagov#169)
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this pull request
Jul 9, 2021
v3.1.1 development * New features * ["Best Guess" Fingerprinting for ICS Protocols](idaholab#49) - In an effort to help identify more ICS traffic, Malcolm can use "buest guess" method based on transport protocol (e.g., TCP or UDP) and port(s) to categorize potential traffic communicating over some ICS protocols without full parser support. This feature involves a [mapping table](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess_ics_map.txt) and a [Zeek script](https://github.com/idaholab/Malcolm/blob/master/zeek/config/guess.zeek) to look up the transport protocol and destination and/or source port to make a best guess at whether a connection belongs to one of those protocols. These potential ICS communications are categorized by vendor where possible. The list of ICS protocols' ports was adapted from various public sources, including, but not limited to, [Grassmarlin](https://github.com/nsacyber/GRASSMARLIN/tree/master/GM3/data/fingerprint)'s fingerprints and [ITI/ICS-Security-Tools](https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md)' list of Control Systems Ports. * Improvements and bug fixes * Allow configuring the number of concurrent requests for ClamAV scanning, Yara and Capa via environment variables (`CLAMD_MAX_REQUESTS`, `YARA_MAX_REQUESTS` and `CAPA_MAX_REQUESTS`) * Zeek plugins to detect [CVE-2021-31166](https://github.com/corelight/CVE-2021-31166) and [pingback](https://github.com/corelight/pingback) vulnerabilities * Move creation of custom fields and views to [Arkime's config.ini](https://arkime.com/settings#custom-fields) * LDAP bind credentials world readable in docker (idaholab#47 and cisagov#171) * Deny access to uploaded files (cisagov#170) * Version bumps * Yara to 4.1.1 * Zeek to 4.0.3 * Spicy to 1.1.0 * Alpine to 3.14 * NGINX to 1.20.1 * Linux kernel to 5.10 (for ISO installs) * urllib3 to 1.26.5 (cisagov#169)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🗣 Description
Added deny section to nginx configuration for pcap-upload docker container to deny access to uploaded files.
💭 Motivation and context
This PR fixes a possible RCE where an authenticated user can upload a php webshell (or many to beat the file processor) where they could gain access to the entire Malcolm docker network and all files.
🧪 Testing
/etc/nginx/sites-enabled/default
nginx -s reload
📷 Screenshots (if appropriate)
Before:
After:
✅ Checklist
in code comments.
to reflect the changes in this PR.