There is indication that the glitch is exploited in the wild

Mar 10, 2015 10:40 GMT  ·  By

Proof-of-concept (PoC) code for a recently discovered security glitch in Elasticsearch is now publicly available, allowing an attacker to execute arbitrary shell commands on machines that have not mitigated the issue.

The exploit is for an issue identified as CVE-2015-1427, which touches on the Groovy scripting engine available in Elasticsearch versions earlier than 1.3.8 and 1.4.3.

It permits passing Groovy code in a search query and executing it in the sandbox, while the results are returned to the user. Server-side code execution can lead to a dangerous outcome, especially since there is no authentication mechanism available in Elasticsearch.

Exploit code is rough on the edges

The issue has been resolved in Elasticsearch 1.4.3 and 1.3.8, which were released on February 11, 2015, but applying the update is sometimes delayed by administrators for various reasons. At the moment, versions 1.4.4 and 1.3.9 are available for download.

Security consultancy and software development company Xiphos Research created an exploit for the glitch that makes available a semi-interactive shell suitable for executing commands and dropping connect-back payloads.

The only pre-requisite for the PoC is to run a script with the IP address of the vulnerable Elasticsearch server as the argument.

As per best practices, access to Elasticsearch should be granted only to local users, but there are many cases where the server can be reached over the Internet.

Attackers leverage the vulnerability in the wild

In a blog post published on Sunday, security researcher Jordan Wright says that the vulnerability is currently “heavily exploited in the wild,” one of the Elasticsearch instances managed by him having been compromised this way.

Among the risks posed by compromising an Elasticsearch server is using it in distributed denial-of-service attacks.

Even if a new update is applied, there is the possibility for the previous release to have been compromised; as such, administrators are recommended to check the working folders for any unusual entries.

Given that an exploit is now publicly available, updating to the latest revision of the product is an action of utmost importance.

Elasticsearch offers full-text search capabilities and it is the second most widely used solution of this kind in enterprises. The product is open-source.