ElasticSearch Cloud-Azure Insecure Transit

2015.09.20
Credit: Pedro Andujar
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-319

=============================== - Advisory - =============================== Tittle: ElasticSearch cloud-azure plugin - Indexes content transmitted in cleartext Risk: Medium/Low Date: 16.Sept.2015 Author: Pedro Andujar Twitter: @pandujar .: [ INTRO ] :. Elasticsearch is a search server based on Lucene. It provides a distributed, multitenant-capable full-text search engine with a RESTful web interface and schema-free JSON documents. Elasticsearch is developed in Java and is released as open source under the terms of the Apache License. ElasticSearch comes with Snapshot and Restore capabilities to use as backup. Cloud-azure plugin enables ELK to store the indexes snapshots into Azure blobs. Affected versions: ElasticSearch 1.7.2 and prior. .: [ TECHNICAL DESCRIPTION ] :. Azure recommendation: "The Microsoft Azure storage services support both HTTP and HTTPS; however, using HTTPS is highly recommended." Insecure Client Implementation: The connection string for ELK cloud-azure plugin contains hardcoded http url with the lack of encryption and certificate validation, therefore its prone to sniffing and MiTM attacks. A potential attacker with the required access to the network traffic would be able to intercept the content of the indexes snapshots. It's a good thing that Azure uses SharedKey authentication, so the account key is not sent directly through http traffic, instead it sends hmac-sha256 signature of the http headers (using the account key) for each request. Affected Src: elasticsearch/plugins/cloud-azure/src/main/java/org/elasticsearch/cloud/azure/storage/AzureStorageServiceImpl.java @Inject public AzureStorageServiceImpl(Settings settings) { super(settings); // We try to load storage API settings from `cloud.azure.` account = settings.get(ACCOUNT); key = settings.get(KEY); blob = "http://" + account + ".blob.core.windows.net/"; try { if (account != null) { logger.trace("creating new Azure storage client using account [{}], key [{}], blob [{}]", account, key, blob); String storageConnectionString = "DefaultEndpointsProtocol=http;" + "AccountName="+ account +";" + "AccountKey=" + key; // Retrieve storage account from connection-string. CloudStorageAccount storageAccount = CloudStorageAccount.parse(storageConnectionString); .: [ CHANGELOG ] :. * 10/Sept/2015: - Security at Elastic contacted. * 10/Sept/2015: - Security at Elastic ack. * 12/Sept/2015: - Elastic replies confirming they plan to fix. But is under their risk threshold to be considered a vulnerability. * 15/Sept/2015: - Quick workarround: https://github.com/elastic/elasticsearch/pull/13573 * 16/Sept/2015: - Authorized to disclose. .: [ SOLUTIONS ] :. Apply the following quickfix: https://github.com/elastic/elasticsearch/pull/13573 Consider changing your account name and key. Evaluate possible indirect impact due to stored information. .: [ REFERENCES ] :. [+] CWE-319: Cleartext Transmission of Sensitive Information https://cwe.mitre.org/data/definitions/319.html [+] OWASP 2010-A9-Insufficient Transport Layer Protection https://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection [+] ELK Security https://www.elastic.co/community/security [+] Azure SharedKey Auth https://msdn.microsoft.com/en-us/library/azure/dd179428.aspx [+] !dSR - Digital Security Research http://www.digitalsec.net/ -=EOF=-


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top