Full Report
Some application misconfigurations are equivalent to remote code execution or information disclosure vulnerabilities, but often go unnoticed. Wiz’s agentless capabilities detect these and correlate them to attack surface and business impact risks, highlighting the most critical misconfigurations.
Analysis Summary
# Best Practices: Application and OS Configuration Hardening to Prevent RCE and Information Disclosure
## Overview
This summary outlines security guidelines focused on identifying and remediating critical operating system (OS) and application-level misconfigurations. These misconfigurations, even those without associated CVEs, can lead to severe outcomes like Remote Code Execution (RCE) or information disclosure, posing risks comparable to known vulnerabilities. The focus is on gaining visibility, prioritizing risks based on context (such as internet exposure and privileges), and implementing specific hardening measures.
## Key Recommendations
### Immediate Actions
1. **Scan for Unauthenticated Remote Access to Redis:** Immediately search the environment for Redis instances configured to allow unauthenticated access from any IP address (e.g., `bind` set to `0.0.0.0` or `*`, and `protected-mode` set to `no`).
2. **Prioritize RCE Contextual Risk:** Prioritize remediation for any discovered application or OS configuration leading to RCE if the affected asset is publicly exposed to the internet and/or possesses high privilege levels within the environment.
3. **Audit Jupyter Notebook Security:** Verify that all Jupyter Notebook instances restrict inbound connections by setting `c.NotebookApp.ip_` to `localhost` or a specific trusted IP range, and ensure they are protected by a strong password or token.
4. **Check for Unauthenticated File Traversal:** Identify application misconfigurations that allow unauthenticated users to traverse the file tree, which could lead to information disclosure.
### Short-term Improvements (1-3 months)
1. **Implement Agentless Configuration Scanning:** Deploy a solution capable of agentlessly analyzing host and application configuration settings across the cloud environment to gain comprehensive coverage.
2. **Enforce Redis Security Hardening:** For all non-local Redis instances, enforce one or more of the following: enable `protected-mode`, set a strong `requirepassword`, or strictly define allowed binding addresses to trusted networks.
3. **Correlate Misconfigurations with Graph Data:** Utilize a security graph platform to correlate host configuration findings (like RCE risks) with network exposure and privilege context to accurately calculate true risk criticality.
### Long-term Strategy (3+ months)
1. **Integrate Configuration Checks into CI/CD:** Integrate automated checks for high-risk application misconfigurations (like RCE vectors) directly into the development pipeline to prevent deployment of insecure configurations.
2. **Develop Custom OS Hardening Rules:** Define and enforce custom security baselines for operating systems using configuration checks derived from industry best practices or internal security standards.
3. **Establish a Comprehensive Misconfiguration Response Plan:** Develop formal incident response procedures specifically for handling active exploitation attempts targeting known commodity misconfigurations (e.g., HinataBot, HeadCrab).
## Implementation Guidance
### For Small Organizations
- **Focus on Critical Services:** Prioritize the hardening of publicly exposed services like databases (Redis, PostgreSQL) and management tools (Jupyter) that are common targets for botnets and cryptojacking.
- **Leverage Built-in Scans:** If using a Cloud Security Posture Management (CSPM) tool, ensure host configuration analysis features are activated to catch immediate visibility gaps.
- **Adhere to Defaults:** If resources cannot be strictly audited, default to the most secure configuration available or isolate these assets completely from the public internet.
### For Medium Organizations
- **Establish Contextual Prioritization:** Begin using contextual data (internet exposure, lateral movement potential) to create a risk score for misconfigurations, moving beyond simple vulnerability counts.
- **Document Remediation SOPs:** Create Standard Operating Procedures (SOPs) for remediating top misconfiguration classes, such as securing services bound to `0.0.0.0`.
- **Periodic Configuration Audits:** Schedule quarterly deep-dive audits focusing specifically on application configuration files rather than relying solely on vulnerability scanning.
### For Large Enterprises
- **Deploy Agentless Coverage:** Implement agentless scanning across all cloud accounts and workloads to ensure 100% visibility into OS and application settings.
- **Automate Graph Correlation:** Ensure the security visibility platform automatically correlates configuration findings with asset inventory, identity/privilege data, and network topology to surface "toxic combinations."
- **Standardize Hardening Templates:** Develop, test, and deploy hardened configuration templates (e.g., immutable infrastructure standards) for commonly used applications (Redis, Hadoop, PostgreSQL) to prevent drift.
## Configuration Examples
| Application | Potential Misconfiguration | Recommended Hardening Action |
| :--- | :--- | :--- |
| **Redis** | `bind` directive set to `0.0.0.0` or `*` combined with unsecured access. | Set `bind` to `127.0.0.1` (localhost) or specific trusted IP ranges, OR enable `protected-mode`. |
| **Redis** | Missing or empty authentication credentials. | Configure a strong `requirepassword` directive or define granular ACLs (`user` directives) with strong permissions. |
| **Jupyter Notebook** | Accessible from all IPs without authentication. | Set `c.NotebookApp.ip_` to `localhost` or known management subnet AND enforce a strong token/password. |
## Compliance Alignment
- **NIST CSF:** Identify (ID.AM, ID.RA), Protect (PR.IP, PR.PT)
- **ISO 27001:** A.12.1.2 (Operational Procedures and Responsibilities), A.14.2.1 (Policy for Development, Testing, and Production)
- **CIS Benchmarks:** Focus on specific application hardening guides (e.g., CIS Benchmarks for Redis, OS hardening sections)
## Common Pitfalls to Avoid
- **Focusing Only on CVEs:** Ignoring application misconfigurations that offer direct RCE paths simply because they lack a formal CVE ID.
- **Assuming Default Security:** Relying on default installations of software like Redis or Hadoop, as default settings are often insecure (e.g., no authentication).
- **Ignoring Context:** Treating all misconfigurations equally; an internally exposed, unauthenticated database is a high risk, but one exposed to the internet is critical.
- **Partial Visibility:** Using agent-based scanning exclusively, as it often misses configuration details or creates deployment gaps for ephemeral workloads.
## Resources
- Redis Security Documentation (Defanged Link: `redis.io/docs/management/security`)
- Hadoop Unauthenticated Command Execution Exploits (Reference Metasploit modules)
- Wiz Documentation on Host Configuration Rules (Login likely required for direct access)
- GreyNoise analysis for tracking active scanners targeting exposures (Defanged Query format: `raw_data.web.paths:"<path>"`)