Project

General

Profile

Actions
Copy link

Incident #482

closed

GARR-CERT-16H1208 Unrestricted elasticsearch server access on node13.p.d4science.research-infrastructures.eu

Added by Andrea Dell'Amico over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Immediate
Assignee:
_InfraScience Systems Engineer
Category:
System Application
Target version:
UnSprintable
Start date:
Aug 12, 2015
Due date:
% Done:

100%

Estimated time:
Infrastructure:
Production

Description

GARR-CERT reports that node13.p.d4science.research-infrastructures.eu has an elasticsearch instance main port open to the world:

############################################################
Incident Number: GARR-CERT-16H1208
############################################################

Salve,

sono un membro del GARR-CERT (www.cert.garr.it), il Computer
Security Incident Response Team della rete GARR (www.garr.it),
la rete Accademica e della Ricerca in Italia.

Abbiamo ricevuto un report in base al quale il software Elasticsearch
in funzione sull'host node13.p.d4science.research-infrastructures.eu
(146.48.122.236), risulta raggiungibile ed interrogabile da qualsiasi
nodo in internet.

timestamp,ip,proto,port,hostname,tag,version,naics,sic,ok,name,cluster_name,status,build_hash,build_timestamp,build_snapshot,lucene_version,tagline
2015-08-02 06:48:25,146.48.122.236,tcp,9200,node13.p.d4science.research-infrastructures.eu,elasticsearch,1.5.0,0,0,,Amphibion,es-cluster--d4science.research-infrastru,200,544816042d40151d3ce4ba4f95399d7860dc2e92,2015-03-23T14:30:58Z,false,4.10.4,You Know, for Search


Elasticsearch non prevede alcuna autenticazione o limitazione di accesso
ai dati, e' quindi possible che chiunque possa ottenere un controllo
completo del servizio e attuare abusi.

Vi suggeriamo di configurare delle restrizioni
in modo da controllare l'accesso al server.


Riferimenti:

https://www.elastic.co/products/elasticsearch

https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-Elasticsearch

https://www.tenable.com/plugins/index.php?view=single&id=76572
http://bouk.co/blog/elasticsearch-rce/

http://stackoverflow.com/questions/4960298/how-to-secure-an-internet-facing-elastic-search-implementation-in-a-shared-hosti
https://github.com/sonian/elasticsearch-jetty

https://github.com/floragunncom/search-guard
http://stackoverflow.com/questions/31366406/search-guard-not-integrating-with-elasticsearch

Cordiali saluti,
GARR-CERT staff

~------------------------------------------------------------------
Andrea Pinzani         G A R R - C E R T       tel. +39 055 4572723
Italian Academic and Research Network            http://www.garr.it
Computer Security Incident Response Team    http://www.cert.garr.it
PGP key: http://www.cert.garr.it/PGP/keys.php3#ap
~------------------------------------------------------------------
Actions
Copy link

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 8.91 MB)