Report Highlights Cyber Security Dangers of Elastic Suite Implementation Errors
A new report identified significant vulnerabilities resulting from the improper implementation of Elastic Stack, a group of open source products that use APIs for critical data aggregation, search and analysis capabilities.
Researchers at cybersecurity firm Salt Security discovered issues that allowed them not only to launch attacks where any user could extract sensitive client and system data, but also to create a denial of service condition that would make the system unavailable.
The researchers said they first discovered the vulnerability while protecting one of their clients, a large business-to-consumer online platform that provides mobile apps and API-based software as a service to millions of users around the world.
Once they discovered the vulnerability, they checked out other customers using Elastic Stack and found that almost all businesses with it were affected by the vulnerability, which exposed users to injection attacks and more.
Salt Security officials quickly noticed that this was not a vulnerability with Elastic Stack itself, but rather an issue with the way it is implemented. Salt Security technical evangelist Michael Isbitski said the vulnerability is not related to any issue with the software from Elastic but is related to “a risky implementation configuration common by users.”
He noted that Elastic provides advice on how to implement Elastic Stack instances safely, but noted that the onus is on practitioners to use the guidance.
“Lack of awareness of potential misconfigurations, poor implementations, and cluster exposures is largely a community issue that can only be addressed through research and education,” Isbitsky told ZDNet.
“Elastic Stack is far from the only example of this type of implementation problem, but the company can help educate its users just as Salt Security has worked with CISOs, security architects and other practitioners. application security to alert them to this API and others. vulnerabilities and provide best practices for mitigation. “
The vulnerability would allow a malicious actor to abuse the lack of authorization between front-end and back-end services in order to gain a functional user account with basic authorization levels.
From there, a cyber attacker could then exfiltrate sensitive user and system data by making “educated guesses about the schema of back-end data stores and querying data that they are not allowed to access,” the report said. .
Salt Security CEO Roey Eliyahu said that although Elastic Stack is widely used and secure, the same architectural design errors have been seen in almost every environment that uses it.
“The vulnerability of the Elastic Stack API can lead to the exposure of sensitive data that can be used to perpetuate serious fraud and abuse, thereby creating substantial business risk,” Eliyahu said.
Exploits that take advantage of this Elastic Suite vulnerability can create “a cascade of API threats,” according to researchers at Salt Security, who also showed that the design implementation flaws of the Elastic Suite s ‘worsen considerably when an attacker has a chain of exploits.
The problem was something that security researchers have long emphasized with a number of similar products like MongoDB and HDFS.
“The specific queries made to the Elastic back-end services used to exploit this vulnerability are difficult to test. This case shows why architecture is important to any API security solution you put in place: you need to be able to grasp substantial context about the API. use over time, ”Isbitsky said.
“It also shows how critical it is to properly design application environments. Every organization should assess API integrations between their systems and applications, as they have a direct impact on the security posture of the business. “
Researchers at the company said they were able to access sensitive data such as account numbers, transaction confirmation numbers and other information that would violate GDPR regulations.
The report details other actions that could be taken due to the vulnerability, including the possibility of various fraudulent activities, extorting funds, stealing identities and taking over accounts.
Jon Gaines, senior application security consultant at nVisium, said the Elastic Suite is “notorious for excessive data exposure” and added that a few years ago – and by default – data was publicly exposed. Since then the defaults have changed, but he noted that doesn’t mean older versions aren’t grandfathered or that minor configuration changes can’t lead to these two newly discovered vulnerabilities.
“There are – and there have been – several open source tools that lead to the discovery of these vulnerabilities that I have used before and still use. Unfortunately, the technical barrier of these vulnerabilities is extremely low. As a result, the risk of a bad guy discovering and exploiting these vulnerabilities is high, ”Gaines said.
“From the outside, these vulnerabilities are common sense for security professionals, authorization, speed limits, invalidation, parameterized requests, etc. However, as a data custodian, administrator, or even developer, you are often not taught how to develop or maintain with security in mind. “
Vulcan Cyber CEO Yaniv Bar-Dayan added that the most common cloud vulnerability is caused by human error and configuration errors, and APIs are not immune.
“We have all seen exposed customer data and denial of service attacks causing significant hardware damage to hacked targets. Exploitation of this vulnerability is preventable but must be addressed quickly,” said Bar-Dayan.
“Other Elastic Stack users should check their own implementations for this misconfiguration and not repeat the same mistake.”