===============================
- Advisory -
===============================
Tittle: ElasticSearch cloud-azure plugin - Indexes content transmitted in cleartext
Risk: Medium/Low
Date: 16.Sept.2015
Author: Pedro Andujar
Twitter: @pandujar
.: [ INTRO ] :.
Elasticsearch is a search server based on Lucene. It provides a distributed, multitenant-capable full-text
search engine with a RESTful web interface and schema-free JSON documents. Elasticsearch is developed in
Java and is released as open source under the terms of the Apache License.
ElasticSearch comes with Snapshot and Restore capabilities to use as backup. Cloud-azure plugin enables ELK
to store the indexes snapshots into Azure blobs. Affected versions: ElasticSearch 1.7.2 and prior.
.: [ TECHNICAL DESCRIPTION ] :.
Azure recommendation:
"The Microsoft Azure storage services support both HTTP and HTTPS; however, using HTTPS is highly recommended."
Insecure Client Implementation:
The connection string for ELK cloud-azure plugin contains hardcoded http url with the lack of encryption and
certificate validation, therefore its prone to sniffing and MiTM attacks. A potential attacker with the required
access to the network traffic would be able to intercept the content of the indexes snapshots.
It's a good thing that Azure uses SharedKey authentication, so the account key is not sent directly through
http traffic, instead it sends hmac-sha256 signature of the http headers (using the account key) for each
request.
Affected Src:
elasticsearch/plugins/cloud-azure/src/main/java/org/elasticsearch/cloud/azure/storage/AzureStorageServiceImpl.java
@Inject
public AzureStorageServiceImpl(Settings settings) {
super(settings);
// We try to load storage API settings from `cloud.azure.`
account = settings.get(ACCOUNT);
key = settings.get(KEY);
blob = "http://" + account + ".blob.core.windows.net/";
try {
if (account != null) {
logger.trace("creating new Azure storage client using account [{}], key [{}], blob [{}]", account, key, blob);
String storageConnectionString =
"DefaultEndpointsProtocol=http;"
+ "AccountName="+ account +";"
+ "AccountKey=" + key;
// Retrieve storage account from connection-string.
CloudStorageAccount storageAccount = CloudStorageAccount.parse(storageConnectionString);
.: [ CHANGELOG ] :.
* 10/Sept/2015: - Security at Elastic contacted.
* 10/Sept/2015: - Security at Elastic ack.
* 12/Sept/2015: - Elastic replies confirming they plan to fix. But is under their risk threshold
to be considered a vulnerability.
* 15/Sept/2015: - Quick workarround: https://github.com/elastic/elasticsearch/pull/13573
* 16/Sept/2015: - Authorized to disclose.
.: [ SOLUTIONS ] :.
Apply the following quickfix:
https://github.com/elastic/elasticsearch/pull/13573
Consider changing your account name and key.
Evaluate possible indirect impact due to stored information.
.: [ REFERENCES ] :.
[+] CWE-319: Cleartext Transmission of Sensitive Information
https://cwe.mitre.org/data/definitions/319.html
[+] OWASP 2010-A9-Insufficient Transport Layer Protection
https://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection
[+] ELK Security
https://www.elastic.co/community/security
[+] Azure SharedKey Auth
https://msdn.microsoft.com/en-us/library/azure/dd179428.aspx
[+] !dSR - Digital Security Research
http://www.digitalsec.net/
-=EOF=-