This type of attack is difficult to carry out, but could be successful if a large number of Elasticsearch nodes are running on the same network.
Details of the vulnerability were published on December 28th, 2018. The specific flaw exists in the handling of X-Pack. When Elasticsearch attempts to parse specially crafted X-Pack HTTP headers, it could be exploited to cause a Denial of Service condition.
In order for Elasticsearch to successfully parse X-Pack headers, a feature called “X_ENC_VAR_PACK” must be enabled in the configuration.
An attacker could leverage this issue to send a specially crafted X-Pack request to an Elasticsearch node. If “X_ENC_VAR_PACK” is enabled in the configuration, Elasticsearch could be tricked into parsing X-Pack headers.
Forcing a node to parse X-Pack headers causes Elasticsearch to crash, resulting in a Denial of Service condition.
How Does Elasticsearch Open API Vulnerability Work?
In order to exploit this vulnerability, an attacker must send a specially crafted HTTP request to a configured Elasticsearch node. The attack payload must have the following attributes:
- The X-Pack headers should contain specific encrypted data
- The encryption key for the X-Pack headers must be known by the attacker
How Does Elasticsearch Handle X-Pack HTTP Headers?
This vulnerability could be exploited by an attacker sending a specially crafted X-Pack request to the Elasticsearch node.
In order to successfully parse X-Pack headers, Elasticsearch must enable “X_ENC_VAR_PACK” in the configuration file. If “X_ENC_VAR_PACK” is enabled, then sending a specially crafted X-Pack HTTP header would cause Elasticsearch to parse it as valid data. This would cause the node to crash and lose all indices stored on that machine.
Elasticsearch is vulnerable only when “X_ENC_VAR_PACK” is enabled in the configuration file.
How to enable “X_ENC_VAR_PACK” feature
1. Edit the “Elasticsearch” configuration file
2. Look for the section titled “X_ENC_VAR_PACK”
3. Add the line “X_ENC_VAR_PACK: true” to the middle of that section
Inclusion of X-Pack header during node startup
FIGURE 1: Elasticsearch node startup
When the node starts, it loads some libraries. One of these libraries is the “elasticsearch-java” library. This library checks for a special header called X-Pack and if it’s present, it will check to make sure that X-Pack is enabled in the configuration file. The following code snippet shows an example of this check:
if (this.getConfig().hasProperty(X_ENC_VAR_PACK)) { // X-Pack is enabled } else {
In order for this check to be successful, X-Pack must be enabled in the configuration file. If this check fails and X-Pack isn't enabled, then the library will go ahead with loading without checking for any errors. When a node starts up, there are many things that need to happen before it can start doing its primary job. For example, it needs to load all of its dependencies before starting up. In order for this to happen correctly, nodes need to start with a clean slate when they first start up.
How to detect Elasticsearch X-Pack vulnerability
The easiest way to detect this vulnerability is by reviewing your security logs. The default configuration of Elasticsearch is configured to log X-Pack requests. If an entry appears in the logs that looks like:
"SENDING MESSAGE TYPE=X-PACK TO SERVER_ADDRESS OF ADMIN_PORT"
then it could be a sign that your Elasticsearch node has been exploited by this vulnerability.
You can also check for changes to the instance's configuration and restart them if there are any. The issue was resolved on December 28th, 2018 and patches have been available as of then, so you should upgrade before January 1st, 2019 or take other measures to mitigate the risk of exploitation.
Timeline
Published on: 06/06/2022 18:15:00 UTC
Last modified on: 07/07/2022 15:15:00 UTC