Advisory ID: SYSS-2018-025 Product: Search Guard Manufacturer: floragunn GmbH Affected Version(s): 6.2.3 Tested Version(s): 6.2.3 Vulnerability Type: Insufficiently Protected Credentials (CWE-522) Risk Level: Low Solution Status: Open Manufacturer Notification: 2018-08-24 Solution Date: Public Disclosure: CVE Reference: Not yet assigned Author of Advisory: Torsten Lutz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Search Guard is an extension for Elasticsearch. The manufacturer describes the product as follows (see [1]): "Search Guard(®) is an Elasticsearch plugin that offers encryption, authentication, and authorization. It supports authentication via Active Directory, LDAP, Kerberos, JSON web tokens and many more, and includes fine grained role-based access control to clusters, indices, documents and fields. Enjoy true multi tenancy in Kibana, and stay compliant with GDPR, HIPAA, PCI, SOX and ISO by using audit logging." Due to missing property filtering, an administrative user is able to retrieve password hashes via the user overview. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: If an *administrative* user views the "Internal User Database", an API request is triggered. Even though only the username is visible in the front-end, the response also contains the bcrypt hashes of the users' passwords. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Request: GET /api/v1/configuration/internalusers [...snip...] Response: [...snip...] {"total":2,"data":{"user1":{"hash":"$2y$12$YJ5VMg93JTvLFEkI1/IgJeVs7V7ICfV6WjSZYef1iPoZD4ybIhrzi","roles": [...snip...] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-08-22: Vulnerability discovered 2018-08-24: Vulnerability reported to manufacturer 2018-08-24: Vulnerability confirmed by manufacturer 2018-09-25: Fix released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Search Guard https://github.com/floragunncom/search-guard https://search-guard.com [2] SySS Security Advisory SYSS-2018-025 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-025.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Torsten Lutz and Oliver Streicher of SySS GmbH. E-Mail: torsten.lutz (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Torsten_Lutz.asc Key Fingerprint: DAB2 86A6 C099 1350 9FCB FB9B 94E8 DC24 BAEC ACC8 E-Mail: oliver.streicher (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Oliver_Streicher.asc Key Fingerprint: 1973 E30F 7966 F45E CCAB 1BF1 3F08 A35E DCB8 35D6 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en