Selenium Grid: Insecure default configuration lets crypto miners through
The framework for automated software testing Selenium Grid is vulnerable in its default settings. Attackers are currently exploiting this.
(Image: stockphoto-graf/Shutterstock.com)
Security researchers from Wiz warn of attacks on the Selenium Grid framework. Attackers are targeting a vulnerability and installing a crypto miner. Instances are susceptible to such attacks in the standard configuration.
In their report, they state that Selenium Grid is widely used worldwide and that the Docker image on Github, for example, has 100 million downloads. Developers use the framework to test software and web applications in parallel on multiple servers.
Activate login for protection
The problem is that the WebDriver API can be accessed without authentication by default. Attackers are now targeting this and executing their own commands. The researchers state that the attackers are bending paths so that the default binary path no longer points to Chrome, but to a Python interpreter. This then executes a script written by the attackers, allowing them to gain access to install a modified XMRig miner. Theoretically, they can install further malware thanks to remote access.
The researchers state that they have observed attacks on version 3.141.59. The current version is 4.23.0, but they suspect that the vulnerability also threatens current versions and that attacks may already be underway.
Selenium also points out that authentication is missing by default, but apparently not many admins are aware of this. According to the researchers, they have documented around 30,000 publicly accessible and potentially vulnerable instances. Admins should therefore activate authentication immediately. The developers explain how to do this in an article.
(des)
