S4E

StackStorm Default Login Scanner

This scanner detects the use of StackStorm in digital assets. It helps identify default login credentials to enhance system security.

Short Info


Level

High

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

1 minute

Time Interval

3 weeks 19 hours

Scan only one

URL

Toolbox

-

StackStorm is an open-source automation engine used by IT operations and DevOps teams worldwide. It enables complex automated workflows, integrates with numerous external services, and supports event-driven problem-solving processes. Organizations use StackStorm to automate routine tasks, streamline operational processes, and ensure consistency across infrastructure and applications. It is particularly popular in environments requiring high agility and rapid response to changing operational conditions. Through its comprehensive integration capabilities, StackStorm provides a scalable and flexible solution for managing diverse and dynamic IT infrastructures. Primarily, it helps in reducing manual work, minimizing errors, and increasing efficiency in handling IT operations.

The vulnerability detected by this scanner relates to the use of default login credentials in StackStorm installations. Default logins can easily be exploited by attackers to gain unauthorized access to the system, potentially compromising sensitive data and system operations. The presence of default credentials is a common security risk that is frequently overlooked, making it a target for automated scripts and attackers attempting unauthorized access. This vulnerability emphasizes the importance of implementing strong authentication practices, such as changing default credentials and using unique, strong passwords. Addressing this vulnerability is crucial in preventing unauthorized access and protecting the integrity of the IT environment. Ensuring that default credentials are changed is a basic yet effective security measure that should be implemented in every system deployment.

The technical details of this vulnerability involve the authentication endpoint of StackStorm, specifically the '/auth/tokens' endpoint. By utilizing default administrator credentials, an attacker can authenticate successfully, retrieve a user token, and access privileged functionalities. This scanner checks for the presence of default credentials by attempting a login using 'st2admin' as the username and 'Ch@ngeMe' as the password. If successful, the scanner identifies the vulnerability by detecting specific response words such as '"user":', '"token":', and '"expiry":' in conjunction with a 201 status code. This process indicates the presence of a security misconfiguration where default login credentials have not been changed post-installation.

Exploiting default login credentials can have severe implications on the security of an organization. If an unauthorized user gains access to StackStorm, they can execute arbitrary workflows, access sensitive configuration information, and potentially compromise connected systems and services. This access could lead to data leaks, unauthorized modification or deletion of resources, and disruption of services. The attacker may also use this entry point to further penetrate the network, posing significant risks to the organization's overall security posture. Hence, mitigating this vulnerability is vital to prevent unauthorized access and potential data breaches.

REFERENCES

Get started to protecting your Free Full Security Scan