Elastic Stack vulnerability can lead to data theft and denial-of-service attacks

Researchers from Salt Security Inc. today detailed a new application programming interface vulnerability that can lead to attacks on Elastic Stack.

The vulnerability stems from a faulty implementation of Elastic Stack, a group of open-source products that use APIs for critical data aggregation, search and analytics capabilities. The researchers found that nearly every organization using Elastic Stack is affected by the vulnerability, which allows bad actors to exfiltrate data and launch denial-of-service attacks.

Salt Labs first identified the exploitable flaws in a large online business-to-consumer platform that provides API-based mobile applications and software as a service to millions of global users. Exploits that use this design weakness can be used to create a cascade of API threats that correspond to common API security problems described in the OWASP API Security Top 10.

The API threats include excessive data exposure, lack of resources and rate limits, security misconfiguration and susceptibility to injection attacks from a lack of input filtering.

The researchers showed how the impact of the Elastic Stack design implementation flaws worsens significantly when an attacker chains together multiple exploits. To exfiltrate sensitive user and system data, attackers can abuse the lack of authorization between front-end and back-end services to obtain a working user account with basic permission levels. With this account access, the attackers can then make educated guesses about the schema of back-end data stores and query for data they aren’t authorized to access.

In addition, the researchers showed how a lack of resource limitations can leave an organizations’ integrated back-end services vulnerable to a DoS attack. That could render a service entirely unavailable or divert attention away from the malicious activity against other applications.

“While not a vulnerability with Elastic Stack itself, the design implementation flaws that Salt Labs observed introduce just as much risk,” Michael Isbitski, technical evangelist at Salt Security, said in a statement. “The specific queries submitted to the Elastic back-end services used to exploit this vulnerability are difficult to test for.”

Jon Gaines, senior application security consultant at application security provider nVisium LLC, told SiliconANGLE that the Elastic Stack is notorious for excessive data exposure.

“Unfortunately, the technical barrier of these vulnerabilities is extremely low,” Gaines explained. “As a result, the risk of a bad guy discovering and exploiting these vulnerabilities is high. As to the severity, that depends on what the organizations themselves have exposed or allowed in terms of permissions.”

Yaniv Bar-Dayan, co-founder and chief executive of enterprise cyber risk remediation company Vulcan Cyber Ltd., noted that users of Elastic Stack should check their own implementations for this misconfiguration and not repeat the same mistake.

“We’ve all seen exposed customer data and denial-of-service attacks do significant material damage to hacked targets,” Bar-Dayan said. “Exploitation of this vulnerability is avoidable but must be remediated quickly.”

Image: Elastic