CVE-2023-45807 - Exploiting OpenSearch Dashboards Tenant Permissions – How Read-Only Users Got Write Powers

OpenSearch is a popular, open-source fork of Elasticsearch and Kibana. It emerged after Elastic’s licensing change in early 2021, with the goal of keeping search and analytics software truly open for the community. Since then, many organizations have adopted OpenSearch Dashboards for visualizing and managing their data. But in October 2023, a critical issue was identified in how OpenSearch Dashboards handles tenant permissions: CVE-2023-45807.

This post will break down the CVE, show the risk with code samples, and explain how to secure your OpenSearch clusters.

What is CVE-2023-45807?

When you use OpenSearch Dashboards, you can have different workspaces called tenants. These tenants let teams or users share dashboards and visualizations, but also protect each group’s private work. Permissions can be set as "read-only" or "write."

The bug in CVE-2023-45807 is that users with read-only permissions to a tenant can still perform “write” actions – such as creating, editing, or deleting the *metadata* of dashboards and visualizations. This doesn’t let them access or change the actual data, but they can break the dashboards for everyone by manipulating metadata.

> Note: This does NOT give them extra data access, nor can they change the data indexes themselves.

What can an attacker do?

- Create new dashboards/visualizations metadata.

Edit or delete existing dashboard metadata.

- Potentially make dashboards/visualizations unavailable to all users of the tenant.

Technical Details and Exploitation

In normal situations, OpenSearch Dashboards controls access to documents and index data. However, the flaw lies in how requests against the dashboard *metadata* are processed – the backend doesn’t fully enforce read-only restrictions on index metadata in the same way as real data access.

How Attackers Could Abuse This

Suppose Alice belongs to a group with only read-only access to the "Marketing" tenant. She should only be able to view dashboards. Instead, due to CVE-2023-45807, she can still alter or delete the dashboard metadata, thus potentially hiding dashboards from everyone.

Example API Call to Delete a Dashboard (should be forbidden but is not!)

# Alice's read-only token/credentials
curl -X DELETE \
  -H "kbn-xsrf: true" \
  -H "Authorization: Bearer <READ_ONLY_TOKEN>" \
  https://<your-opensearch>/api/saved_objects/dashboard/<dashboard-id>?namespace=marketing

In insecure versions, this works – even for users who should only have read permissions! If the tenant controls are not patched, a malicious (or careless) user could delete important dashboard metadata.

Example: Creating a New Visualization as a Read-Only User

curl -X POST \
  -H "kbn-xsrf: true" \
  -H "Authorization: Bearer <READ_ONLY_TOKEN>" \
  https://<your-opensearch>/api/saved_objects/visualization \
  -d '
  {
    "attributes": {
      "title": "Bad Viz",
      "visState": "{}",
      "uiStateJSON": "{}",
      "description": "This should not work for read-only"
    }
  }'

Again, with the vulnerability present, this request would succeed.

*Malicious tampering* with dashboards or visualizations

- *Major outages* for shared dashboards/visualizations

It’s like telling guests at a library to “look but don’t touch,” but a flaw in the security gate lets anyone rearrange or remove the books!

If you can’t upgrade right away, turn off the tenant sharing feature

# config.yml example for OpenSearch Dashboards
multitenancy:
  tenants:
    enable_global: false
    enable_private: false

Restart OpenSearch Dashboards after changing your configuration.

OpenSearch 2.11.

These versions include the fix for strict enforcement of read-only tenant permissions.

Upgrade instructions:
- OpenSearch Docs: Upgrade Guide

Reference Links

- Official Advisory on GitHub
- NVD CVE-2023-45807 Entry
- OpenSearch 1.3.14 Release Notes
- OpenSearch 2.11. Release Notes

Summary Table

| Version Affected | Fixed In | Quick Fix | Real Fix |
|------------------|----------------|------------------|-------------------|
| <1.3.14, <2.11. | 1.3.14, 2.11. | Disable tenants | Upgrade software |

Final Thoughts

CVE-2023-45807 shows how subtle mistakes in permission checks can have real business impact. If you’re running OpenSearch Dashboards with tenants, update now or disable tenants to keep your workspaces safe and secure. While index data is safe thanks to correct backend checks, dashboard and visualization metadata can be as critical in daily operations!

Keep your eyes peeled for security advisories – even for metadata. As always, keep regular backups, and update often!

Timeline

Published on: 10/16/2023 22:15:12 UTC
Last modified on: 10/20/2023 18:29:38 UTC