Experts report that a flaw in Open Distro, a software package that includes Kibana and Elasticsearch, was affected by a vulnerability that allowed threat actors to gain unauthorized access to server and network resources.
The flaw, reported by researcher Rotem Bar, could have allowed privileged users to list listener services or interact with resources configured using HTTP requests on the Open Distro server network, in other words, exploitation would have allowed the deployment of server-side request forgery (SSRF) attacks.
Open Distro adds multiple new features to Elasticsearch, as well as facilitating interaction with the underlying API. In his research, Bar found a web module that allowed users to create an open distribution module and define a customizable webhook for any resource on the network. The researcher was able to use this module to create a webhook that executed fraudulent requests and scanned the network, accessing the metadata API and other compromised resources.
“Threat actors could take the schema further to identify other vulnerabilities in services running on local servers and use them to deploy subsequent attacks,” the expert adds.
The severity of this error depends on the installation environment; for example, if only known administrators can access the Elasticsearch instance and the service is isolated from other network resources, the risk is low. On the other hand, if your Elasticsearch instance is accessible to all users inside and outside the enterprise, gravity increases. And if there are no measures to restrict access between servers, it can lead to critical incidents.
Bar discovered this flaw during a pentesting process on a client’s servers that had combined different solutions into a large technology stack. This is a common practice among many organizations and companies that do not have the talent of internal software and hire system integrators to fix a functional solution.
The problem with this approach is that the final solution often has more complexity and features than the customer needs, opening up attack vectors that system administrators are unable to anticipate. This set of solutions also requires configuration, maintenance, and upgrade procedures that often go beyond customer skills.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.