Experts report that a flaw in Open Distro, a software package that includes Kibana and Elasticsearch, was affected by a vulnerability that allowed threat actors to gain unauthorized access to server and network resources.
The flaw, reported by researcher Rotem Bar, could have allowed privileged users to list listener services or interact with resources configured using HTTP requests on the Open Distro server network, in other words, exploitation would have allowed the deployment of server-side request forgery (SSRF) attacks.
Open Distro adds multiple new features to Elasticsearch, as well as facilitating interaction with the underlying API. In his research, Bar found a web module that allowed users to create an open distribution module and define a customizable webhook for any resource on the network. The researcher was able to use this module to create a webhook that executed fraudulent requests and scanned the network, accessing the metadata API and other compromised resources.
“Threat actors could take the schema further to identify other vulnerabilities in services running on local servers and use them to deploy subsequent attacks,” the expert adds.
The severity of this error depends on the installation environment; for example, if only known administrators can access the Elasticsearch instance and the service is isolated from other network resources, the risk is low. On the other hand, if your Elasticsearch instance is accessible to all users inside and outside the enterprise, gravity increases. And if there are no measures to restrict access between servers, it can lead to critical incidents.
Bar discovered this flaw during a pentesting process on a client’s servers that had combined different solutions into a large technology stack. This is a common practice among many organizations and companies that do not have the talent of internal software and hire system integrators to fix a functional solution.
The problem with this approach is that the final solution often has more complexity and features than the customer needs, opening up attack vectors that system administrators are unable to anticipate. This set of solutions also requires configuration, maintenance, and upgrade procedures that often go beyond customer skills.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.