CVE-2022-23708: Elasticsearch 7.17. Security Index Flaw - Exploit Details, Code Snippets, and Original References

A recently discovered vulnerability in Elasticsearch 7.17., registered under the CVE identifier CVE-2022-23708, has exposed a crucial flaw in the software's upgrade assistant. When upgrading from Elasticsearch 6.x to 7.x, the upgrade assistant inadvertently disables the in-built protections on the security index. As a result, authenticated users with “*” index permissions can gain unwanted access to this index. This article delves into the details of this vulnerability, providing code snippets, original references, and more.

Exploit Details

Upon upgrading from Elasticsearch 6.x to 7.x, the upgrade assistant fails to retain specific security settings for the ".security-*" index pattern. Consequently, users with “*” index permissions, which generally grant access to all indices, can now access the security index as well. This security index contains sensitive data such as passwords, API keys, and role-based access control settings. Unauthorized access to such information can have severe security implications and might lead to potential data breaches.

Code Snippet

The following Python code demonstrates the vulnerability using the Elasticsearch official Python client (elasticsearch-py):

from elasticsearch import Elasticsearch

# Replace the following values with your Elasticsearch instance's details
es_host = "localhost"
es_port = 920
es_user = "my_elasticsearch_username"
es_pass = "my_elasticsearch_password"

# Initialize the Elasticsearch client
es = Elasticsearch([{"host": es_host, "port": es_port}], http_auth=(es_user, es_pass))

# Check for access to security index
try:
    search_results = es.search(index=".security-*", body={"query": {"match_all": {}}})
    print("Access granted to the security index:")
    print(search_results)
except Exception as e:
    print(f"Access denied to the security index: {e}")

Original References

The Elastic team acknowledged this vulnerability in their official announcement, where they addressed the issue and provided mitigation guidance. You can find the original references here:

- Elastic Security Advisory: ESA-2022-12
- NVD - CVE-2022-23708: National Vulnerability Database

Recommended Mitigations

Elastic recommends patching Elasticsearch to version 7.17.1, which includes a fix to retain security settings during the upgrade process. For those who have already upgraded to 7.17. and cannot upgrade to 7.17.1, Elastic suggests manually applying the security settings to the ".security-*" index pattern after completing the upgrade. Follow the steps below:

`

curl -u: -X GET http://:/_security/_privileges?filter_path=*.application

`

2. If the response contains an entry for "global-indices-all_access", the vulnerability affects your cluster. Apply the Security Setting as follows:

`

curl -u: -X POST http://:/_security/privilege -H "Content-Type: application/json" -d '{"global-indices-all_access":{"application": "global-indices", "action": ["*"], "indices": ["*"],"exclude_patterns": [".security-*"]}}'

Conclusion

CVE-2022-23708, a critical vulnerability in Elasticsearch 7.17., exposes the security index by disabling the in-built protections during the upgrade process. To mitigate this issue and secure sensitive data, users should either update to Elasticsearch 7.17.1 or apply the recommended manual fix to restore the security settings.

Timeline

Published on: 03/03/2022 22:15:00 UTC
Last modified on: 07/29/2022 20:15:00 UTC