Wobserver - is a tool for inspecting of web-based metrics and monitoring. It was enabled at /wobserver by default in BlockScout from the very beginning of the project.
An issue was recently brought to our attention related to the possibility of DB credential exposure with Wobserver. This vulnerability has not been exploited in any of our hosted BlockScout instances, there was no security incident and all data is secure, and we have enabled a hotfix to address this issue so that administrators can disable Wobserver.
We would like to thank the issue reporter and have sent a bug bounty in appreciation for their efforts.
- Reporter: Team Lead Coder
- Bounty: 500 USDT
Who is affected?
All unmodified Blockscout instances with release version less than 3.3.2.
How to disable Wobserver?
Unfortunately, there was no built-in application-level lever to switch off Wobserver before BlockScout version 3.3.2. We created a hotfix which disables Wobserver by default and published version 3.3.2 which contains this fix. You can upgrade your instance or follow the steps below to close Wobserver access.
Steps to mitigate the issue
1. Close access to the DB
First, close access to the DB from outside, if it is still open to the world. Please do this ASAP. Otherwise, it is possible for a malicious actor to drop your DB or substitute the data. You can change access management by configuring IP addresses restrictions in the pg_hba.conf file. If hosting the DB in AWS RDS instance, you can manage DB access from RDS instance Modify menu item by setting Public accessibility to No
if you host all the infrastructure at AWS or by managing VPC security group allowing access only for specific IP addresses including TCP/IP ports restrictions.
2. Close access to Wobserver for users
There are several wasy to accomplish this
Upgrade to v3.3.2 release of Blockscout:
3. Change DB credentials
And never re-use them. Current ones may be publicly accessible on the darknet.