Description
A critical vulnerability has been identified in the Groovy scripting engine of Elasticsearch versions before 1.3.8 and 1.4.x before 1.4.3. This vulnerability allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands through a crafted script.
Affected Product(s)
Elasticsearch versions before 1.3.8 and 1.4.x before 1.4.3. Also, some RedHat products using these Elasticsearch versions are affected.
Technical Details
Elasticsearch, an open-source search and analytics engine capable of data exploration, is central to data retrieval in many organizations. However, as of versions 1.3.0 to 1.3.7 and 1.4.0 to 1.4.2, a critical vulnerability in its Groovy scripting engine could be exploited by remote attackers.
By crafting a malicious Groovy script, an attacker can escape the restrictions of the sandbox environment and execute shell commands. The core of this issue lies in Elasticsearch’s implementation of scripting capabilities to enhance its querying and computing power. By utilizing Groovy, a Java-situated scripting language infamous for providing enhanced functionalities, the users could run scripts directly in the system; such scripts were primarily kept inside a “sandbox” to ensure secure execution without system-wide implications. Unfortunately, the sandbox wasn’t adequately secured, allowing attackers to bypass restrictions due to an inherent risk associated with Java’s reflection mechanism.
The products affected include Elasticsearch versions 1.4.0 to 1.4.2 and possibly earlier versions, as seen across its multiple iterations—highlighted in several PURLs, including maven versions ranging from 0.4.0 up to 1.4.2. Other affected systems include Red Hat JBoss A-MQ 6.3 and Red Hat JBoss Fuse 6.3, owing to their go-to use of Elasticsearch for processing data.
It has been observed that attackers are employing the compromised node access in Elasticsearch clusters to insert ransomware or utilize the node as part of a broader botnet for spam relay. They proceed by bypassing the sandbox using Groovy scripts that invoke classes like java.lang.Math to execute commands beyond the anticipated namespace or restriction zone. The attack vector requires no authentication since the REST API function permits groovy code executions directly, giving blanket access that can be exploited on a default setup sans mitigations. This unfettered access enables threat actors to execute arbitrary Java code, potentially taking over a remote shell or manipulating files on the affected systems.
Further exploits involve leveraging flaws within Elasticsearch’s REST API where a threat actor could execute unsandboxed Groovy code, coupled with its search features. These entail executing arbitrary commands in Java by manipulating whitelist mechanisms or employing Java’s known capabilities to exploit Runtime executions standards. Such a strategy could be directed to obtain sensitive data, deploy payloads, or execute further injurious commands remotely.
Remediation strategies primarily focus on version upgrades—switching to versions 1.3.8 or 1.4.3 or later, immediately apply bulletproof updates as described in the vulnerability advisories. In instances where upgrades are improbable, a workaround includes setting script.groovy.sandbox.enabled to false in elasticsearch.yml and restarting the node, which effectively disables Groovy scripting altogether to negate the attack vector.
Weakness
The weakness associated with this vulnerability is the improper access control categorized under CWE-284. It effectively allows sandbox escape due to inadequate invocation controls on Groovy scripts when utilized within Elasticsearch.
Impact Assessment
If exploited, this vulnerability could allow an attacker to bypass all existing security measures to execute arbitrary shell commands, leading to unauthorized access, data leakage, or a completely compromised system capable of executing further malicious activities across connected networks or nodes.
Active Exploitation
Instances have shown activities from threat exploiters leveraging CVE-2015-1427 to execute remote code. The Metasploit Framework’s modules have been primarily used to actualize these exploits effectively, affirming the system’s exposure to unsanctioned access with Elasticsearch setups from the stated versions.
Ransomware Association
The vulnerability has been linked to attacks involving ransomware such as “Lucky” and “Satan”. These ransomware variants penetrate systems using the outlined vulnerability to gain initial system access and a foothold on the affected networks to execute further payload delivery.
Mitigation and Resolution
We have released patches that address this vulnerability. Users are urged to update Elasticsearch to version 1.3.8 or 1.4.3 or beyond, as these versions include fixes for the vulnerability in question. Disabling the Groovy scripting capabilities by modifying the elasticsearch.yml file is a viable interim measure while preparing for full-scale updates.
Recommendations
- We strongly recommend that all Elasticsearch users update to version 1.3.8 or 1.4.3 immediately.
- For those unable to update promptly, disable Groovy scripting by setting script.groovy.sandbox.enabled to false in the elasticsearch.yml configuration file and restart your nodes.
- Regularly review and monitor system logs to detect any anomalous script executions or unauthorized access attempts.
- Implement network-level segmentation to limit access to Elasticsearch nodes only to trusted users or internal networks.
- Employ intrusion detection systems to identify potential misuse of exposed APIs by unauthorized entities.
- Apply strict access control measures and limit script executions to only trusted sources.
References
- Elasticsearch Sandbox Escape Command Execution
- Elasticsearch Unauthenticated Remote Code Execution
- Elasticsearch Version Release
- SecurityFocus Thread
- SecurityFocus Update
- RedHat Security Advisory
- VulnHub Blog on Elasticsearch Groovy Vulnerability
- Apache OFBiz Directory Traversal Vulnerability
- National Vulnerability Database
- CISA KEV Catalog
- CVE Record: CVE-2015-1427
- Elasticsearch Security Advisory