Vulners
Lucene search
ElasticSearch 1.7.2 Cloud-Azure Insecure Transit Vulnerability
Tittle: ElasticSearch cloud-azure plugin - Indexes content transmitted in cleartext
Risk: Medium/Low
Date: 16.Sept.2015
Author: Pedro Andujar
Twitter: @pandujar
.: [ INTRO ] :.
Elasticsearch is a search server based on Lucene. It provides a distributed, multitenant-capable full-text
search engine with a RESTful web interface and schema-free JSON documents. Elasticsearch is developed in
Java and is released as open source under the terms of the Apache License.
ElasticSearch comes with Snapshot and Restore capabilities to use as backup. Cloud-azure plugin enables ELK
to store the indexes snapshots into Azure blobs. Affected versions: ElasticSearch 1.7.2 and prior.
.: [ TECHNICAL DESCRIPTION ] :.
Azure recommendation:
"The Microsoft Azure storage services support both HTTP and HTTPS; however, using HTTPS is highly recommended."
Insecure Client Implementation:
The connection string for ELK cloud-azure plugin contains hardcoded http url with the lack of encryption and
certificate validation, therefore its prone to sniffing and MiTM attacks. A potential attacker with the required
access to the network traffic would be able to intercept the content of the indexes snapshots.
It's a good thing that Azure uses SharedKey authentication, so the account key is not sent directly through
http traffic, instead it sends hmac-sha256 signature of the http headers (using the account key) for each
request.
Affected Src:
elasticsearch/plugins/cloud-azure/src/main/java/org/elasticsearch/cloud/azure/storage/AzureStorageServiceImpl.java
@Inject
public AzureStorageServiceImpl(Settings settings) {
super(settings);
// We try to load storage API settings from `cloud.azure.`
account = settings.get(ACCOUNT);
key = settings.get(KEY);
blob = "http://" + account + ".blob.core.windows.net/";
try {
if (account != null) {
logger.trace("creating new Azure storage client using account [{}], key [{}], blob [{}]", account, key, blob);
String storageConnectionString =
"DefaultEndpointsProtocol=http;"
+ "AccountName="+ account +";"
+ "AccountKey=" + key;
// Retrieve storage account from connection-string.
CloudStorageAccount storageAccount = CloudStorageAccount.parse(storageConnectionString);
.: [ CHANGELOG ] :.
* 10/Sept/2015: - Security at Elastic contacted.
* 10/Sept/2015: - Security at Elastic ack.
* 12/Sept/2015: - Elastic replies confirming they plan to fix. But is under their risk threshold
to be considered a vulnerability.
* 15/Sept/2015: - Quick workarround: https://github.com/elastic/elasticsearch/pull/13573
* 16/Sept/2015: - Authorized to disclose.
.: [ SOLUTIONS ] :.
Apply the following quickfix:
https://github.com/elastic/elasticsearch/pull/13573
# 0day.today [2018-04-02] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Sep 2015 00:00Current
6.9Medium risk
Vulners AI Score6.9