Unauthenticated exposed Prometheus
Description
When a user runs a staker-cli
command, the command-line interface (CLI) program communicates with the stakerd daemon via JSON-RPC on port 15812
.
Just as in Finding ref↗, an attacker could create a website that communicates with the internal JSON-RPC server when visited, even though it is only listening on localhost.
Impact
An attacker's website could send a request to the internal JSON-RPC server, running commands like bonding and unbonding as if it were the staker-cli program.
This could lead to a loss of user funds.
In addition, an attacker could use DNS rebinding to read the response from the JSON-RPC server, which could help facilitate these attacks.
Recommendations
Implement authentication to ensure that only requests coming from staker-cli are handled. Alternatively, change the stakerd server implementation to not communicate over HTTP.
Remediation
This issue has been acknowledged by Babylon Labs, which noted that it is the responsibility of the program operator to ensure that the relevant port is sufficiently protected and not accessible to the outside world.