www.belgium.be Logo of the federal government

Description

This report identifies hosts that have Elasticsearch running and accessible on the Internet. On its own, Elasticsearch does not support authentication or restrict access to the datastore, so it is possible that any entity that can access the Elasticsearch instance may have complete control to do what they will with it. The probe that we are using is a “GET / HTTP/1.1” sent to port 9200/tcp.

Assessment

The entries in this report are hosts that have an Elasticsearch service open towards the internet. There are multiple ways to abuse this service. Natively it does not support authentication, so any unauthenticated attacker can abuse the service. Additionally, there are known vulnerabilities for the service. Connecting via HTTP to the service (TCP/9200) will give anyone the version of Elasticsearch, which makes it easy to identify vulnerabilities. The likelihood is high because the service is running on a well-known port, and Elasticsearch provides useful information natively to any unauthenticated attacker. The impact is set to high as exploiting an unpatched Elasticsearch service could result in Remote Code Execution. The overall risk is set to high.

Recommendations

  • Restrict access to the database server to internal networks.
  • If remote access is necessary use a VPN or at least enable authentication[2] and make sure strong passwords are used.

References

Shadow Server – Elasticsearch Scanning Project

CVE details – Elasticsearch