How to disable the /debug/vars feature in a Docker environment

[anjoy8]

Bug report criteria

• This bug report is not security related, security issues should be disclosed privately via etcd maintainers.
• This is not a support request or question, support requests or questions should be raised in the etcd discussion forums.
• You have read the etcd bug reporting guidelines.
• Existing open issues along with etcd frequently asked questions have been checked and this is not a duplicate.

What happened?

Our company is using etcd, but a vulnerability was found related to the ip:2379/debug/vars interface. How can we disable this interface?

What did you expect to happen?

How to disable this feature for an etcd instance created using Docker?

How can we reproduce it (as minimally and precisely as possible)?

To directly run a Docker instance using the command, for example:

docker run -d -it --name etcd-server -e ETCD_ENABLE_PPROF=false --restart=always -p 2379:2379 -p 2380:2380 --env ALLOW_NONE_AUTHENTICATION=yes bitnami/etcd:latest

Anything else we need to know?

No response

Etcd version (please run commands below)

$ etcd --version
# paste output here

$ etcdctl version
# paste output here

Etcd configuration (command line flags or environment variables)

paste your configuration here

Etcd debug information (please run commands below, feel free to obfuscate the IP address or FQDN in the output)

$ etcdctl member list -w table
# paste output here

$ etcdctl --endpoints=<member list> endpoint status -w table
# paste output here

Relevant log output

No response

[serathius]

That's an issue with bitnami, we don't support bitnami images.

[anjoy8]

How can we disable this feature in our etcd image?
Please help write a Docker command.

That's an issue with bitnami, we don't support bitnami images.

[anjoy8]

Here is the translation:

I use the official image and wrote the following:

docker run -d \
  -p 2379:2379 \
  -p 2380:2380 \
  --name etcd \
  --volume $(pwd)/etcd-data:/etcd-data \
  quay.io/coreos/etcd:v3.5.0 \
  /usr/local/bin/etcd \
  --name my-etcd-instance \
  --data-dir /etcd-data \
  --listen-client-urls http://0.0.0.0:2379 \
  --advertise-client-urls http://0.0.0.0:2379 \
  --listen-peer-urls http://0.0.0.0:2380

However, when accessing /debug/vars, how can I disable this debug address?

[serathius]

You can't, which is an interesting decision by previous maintainers.

[serathius]

cc @ahrtr

[ahrtr]

Our company is using etcd, but a vulnerability was found related to the ip:2379/debug/vars interface

Could you please help us to understand what vulnerability was found?

We may want add a flag --enable-debug (similar to --enable-pprof) to enable/disable this functionality, and defaults to false.

[serathius]

It's not vulnerability per se, but at least it's supprizing. Example of data in /debug/vars:

{
"cmdline": ["./bin/etcd","--enable-v2"],
"file_descriptor_limit": 131072,
"memstats": {"Alloc":4552976,"TotalAlloc":9683472,"Sys":19748104,"Lookups":0,"Mallocs":34144,"Frees":9823,"HeapAlloc":4552976,"HeapSys":11272192,"HeapIdle":4521984,"HeapInuse":6750208,"HeapReleased":2646016,"HeapObjects":24321,"StackInuse":1310720,"StackSys":1310720,"MSpanInuse":188800,"MSpanSys":195840,"MCacheInuse":28800,"MCacheSys":31200,"BuckHashSys":1452175,"GCSys":2898448,"OtherSys":2587529,"NextGC":7396016,"LastGC":1716815033051268308,"PauseTotalNs":405743,"PauseNs":[200767,45616,49613,109747,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"PauseEnd":[1716815033025284452,1716815033028402130,1716815033032624764,1716815033051268308,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"NumGC":4,"NumForcedGC":0,"GCCPUFraction":0.02077980265274588,"EnableGC":true,"DebugGC":false,"BySize":[{"Size":0,"Mallocs":0,"Frees":0},{"Size":8,"Mallocs":1143,"Frees":308},{"Size":16,"Mallocs":11743,"Frees":2918},{"Size":24,"Mallocs":2423,"Frees":946},{"Size":32,"Mallocs":1827,"Frees":590},{"Size":48,"Mallocs":6382,"Frees":441},{"Size":64,"Mallocs":2921,"Frees":249},{"Size":80,"Mallocs":394,"Frees":233},{"Size":96,"Mallocs":1687,"Frees":392},{"Size":112,"Mallocs":2428,"Frees":2087},{"Size":128,"Mallocs":148,"Frees":74},{"Size":144,"Mallocs":142,"Frees":52},{"Size":160,"Mallocs":230,"Frees":82},{"Size":176,"Mallocs":113,"Frees":5},{"Size":192,"Mallocs":68,"Frees":13},{"Size":208,"Mallocs":225,"Frees":101},{"Size":224,"Mallocs":64,"Frees":32},{"Size":240,"Mallocs":16,"Frees":0},{"Size":256,"Mallocs":42,"Frees":12},{"Size":288,"Mallocs":120,"Frees":45},{"Size":320,"Mallocs":63,"Frees":43},{"Size":352,"Mallocs":195,"Frees":10},{"Size":384,"Mallocs":10,"Frees":3},{"Size":416,"Mallocs":59,"Frees":24},{"Size":448,"Mallocs":167,"Frees":2},{"Size":480,"Mallocs":7,"Frees":3},{"Size":512,"Mallocs":32,"Frees":17},{"Size":576,"Mallocs":22,"Frees":12},{"Size":640,"Mallocs":14,"Frees":6},{"Size":704,"Mallocs":85,"Frees":55},{"Size":768,"Mallocs":12,"Frees":1},{"Size":896,"Mallocs":59,"Frees":26},{"Size":1024,"Mallocs":24,"Frees":6},{"Size":1152,"Mallocs":21,"Frees":6},{"Size":1280,"Mallocs":12,"Frees":2},{"Size":1408,"Mallocs":42,"Frees":26},{"Size":1536,"Mallocs":4,"Frees":1},{"Size":1792,"Mallocs":23,"Frees":10},{"Size":2048,"Mallocs":38,"Frees":6},{"Size":2304,"Mallocs":21,"Frees":8},{"Size":2688,"Mallocs":33,"Frees":31},{"Size":3072,"Mallocs":21,"Frees":6},{"Size":3200,"Mallocs":30,"Frees":12},{"Size":3456,"Mallocs":3,"Frees":0},{"Size":4096,"Mallocs":32,"Frees":17},{"Size":4864,"Mallocs":37,"Frees":32},{"Size":5376,"Mallocs":6,"Frees":2},{"Size":6144,"Mallocs":8,"Frees":2},{"Size":6528,"Mallocs":1,"Frees":1},{"Size":6784,"Mallocs":0,"Frees":0},{"Size":6912,"Mallocs":2,"Frees":2},{"Size":8192,"Mallocs":18,"Frees":1},{"Size":9472,"Mallocs":31,"Frees":5},{"Size":9728,"Mallocs":0,"Frees":0},{"Size":10240,"Mallocs":0,"Frees":0},{"Size":10880,"Mallocs":1,"Frees":0},{"Size":12288,"Mallocs":4,"Frees":4},{"Size":13568,"Mallocs":2,"Frees":2},{"Size":14336,"Mallocs":0,"Frees":0},{"Size":16384,"Mallocs":3,"Frees":0},{"Size":18432,"Mallocs":6,"Frees":2}]},
"raft.status": {"id":"8e9e05c52164694d","term":4,"vote":"8e9e05c52164694d","commit":8,"lead":"8e9e05c52164694d","raftState":"StateLeader","applied":8,"progress":{"8e9e05c52164694d":{"match":8,"next":9,"state":"StateReplicate"}},"leadtransferee":"0"}
}

Would be good to get some review from security about risks of exposing the data.

[anjoy8]

It is a dedicated vulnerability check, and it discovered the address /debug/vars. This address is anonymous and returns configuration information, posing a risk of leakage.

[anjoy8]

Can I encrypt this interface or add permissions when running Docker, so that users must log in to access it?

[tjungblu]

You won't be able to do that from the container runtime. The only thing I could imagine would be a reverse proxy sidecar that explicitly disallows that path.