Externally accessible Elasticsearch services

Follow

Vulnerability description:

Elasticsearch without the installation of the Shield plug-in does not come with authentication or restriction of access to the data stored within. A simple curl command may lead to the ex-filtration of all data. Out of date versions of Elasticsearch have known remote code execution vulnerabilities which may lead to compromise of the server itself i.e CVE-2015-4165 [2].

To manually test if a system is accessible, you can browse to the following with your favorite web browser:

  • http://[IP of server in question]:9200/_cat/indices?v

AusCERT recommended mitigation(s):

If the service is not required it would be advisable to simply turn the service off. If it is required, a potential mitigation would be to implement network traffic white-listing and only have the Elasticsearch service respond to the required IP addresses. There is also the possibility of adding authentication and authorisation to the data with Elastic's Shield plug-in. [3]

References:

[1] https://www.elastic.co/products/elasticsearch

[2] https://www.auscert.org.au/23144

[3] https://www.elastic.co/products/shield

Have more questions? Submit a request

Comments

Powered by Zendesk