Critical Risk on Elasticsearch 9200 / tcp / www Reported by Nessus


(Caixia Chi) #1

I used Nessus to scan Elaticsearch server, it reports there is one Critical risk on Elasticsearch issue:

Severity Plugin Id Name
Critical (10.0) 10169 OpenLink Web Configurator GET Request Remote Overflow

For this OpenLink Web Configurator GET Request Remote Overflow, Nessus reports that:

Synopsis :The remote web server has an application that is affected by a bufferoverflow vulnerability.
Description :It is possible to crash the remote web server by sending overly longGET requests. An attacker may exploit this issue to crash the remoteweb server or execute arbitrary code on the remote system.

Are there any analysis and planned solutions for this issue in the forum?
.

Thanks!


(David Pilato) #2

Hey

Thanks for opening this. Could you send your question to security (at) elastic (dot) co so folks can check and answer you directly?

In this email can you describe which API endpoint is concerned?

Thanks a lot


(Mark Walkom) #3

This appears to be related to this CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0943.

But ES is not OpenLink, so I think this is a false positive.


(Caixia Chi) #4

"OpenLink web config buffer overflow" is a type of issues when Nessus sends large GET requests to specific directory of web server and web server responded with non-NULL response. It's not necessarily related with OpenLink software. The following is source code of Nessus plugin 10169. Are there max-length message limitation for requests sent to Elasticsearch? Will it always process it? This is the issue why Nessus reports it.

https://searchcode.com/codesearch/raw/39217884/

This script was written by Renaud Deraison deraison@cvs.nessus.org

See the Nessus Scripts License for details

if(description)
{
script_id(10169);
script_version ("$Revision: 1.18 $");
script_cve_id("CVE-1999-0943");
name["english"] = "OpenLink web config buffer overflow";
name["francais"] = "D閜assement de buffer dans la config web de OpenLink";
script_name(english:name["english"], francais:name["francais"]);

desc["english"] = "It is possible to make the remote server execute
arbitrary code by sending one of these two URLs :

GET AAA[....]AAA
GET /cgi-bin/testcono?AAAAA[...]AAA HTTP/1.0

Solution : Upgrade.
Risk factor : High";

desc["francais"] = "Il est possible de faire executer du code arbitraire
au serveur en lui envoyant une des requ?tes :

GET AAAA[...]AAA
GET /cgi-bin/testcono?AAAAA[...]AAA HTTP/1.0

Solution : Mettez le ? jour.
Facteur de risque : Elev�";

script_description(english:desc["english"], francais:desc["francais"]);

summary["english"] = "OpenLink buffer overflow";
summary["francais"] = "D閜assement de buffer dans OpenLink";
script_summary(english:summary["english"], francais:summary["francais"]);

script_category(ACT_DESTRUCTIVE_ATTACK);

script_copyright(english:"This script is Copyright (C) 1999 Renaud Deraison",
francais:"Ce script est Copyright (C) 1999 Renaud Deraison");
family["english"] = "Gain root remotely";
family["francais"] = "Passer root ? distance";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes", "httpver.nasl");
script_require_ports(8000);
script_exclude_keys("Settings/disable_cgi_scanning");
exit(0);
}

The script code starts here

include("http_func.inc");

port = 8000;
if(get_port_state(port))
{
if(http_is_dead(port:port))exit(0);

data = http_get(item:crap(4096), port:port);
soc = http_open_socket(port);
if(soc)
{
send(socket:soc, data:data);
b = recv_line(socket:soc, length:1024);
http_close_socket(soc);
if(!b){
security_hole(port);
exit(0);
}
}
else exit(0);

foreach dir (cgi_dirs())
{
soc2 = http_open_socket(port);
if(soc2)
{
data = http_get(item:string(dir, "/testcono?", crap(2000)), port:port);
send(socket:soc, data:data);
c = recv_line(socket:soc, length:1024);
http_close_socket(soc);
if(!strlen(c)){
security_hole(port);
exit(0);
}
}
}
}


(Mark Walkom) #5

What version of ES are you on?


(Caixia Chi) #6

We are in 2.4.1 now, are there max length limitation/configuration on incoming requests in later releases?
We have plan to move to 5.2.1 in later releases.


(Mark Walkom) #7

There is http.max_content_length https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-http.html, which defaults to 100 megs.


(Clinton Gormley) #8

There is also http.max_initial_line_length which defaults to 4kB.

This report is bogus. You can't use a test built for openlink to test anything about elasticsearch. Just try the actual requests the script is sending and you'll see that you get back an error message until you pass the max_initial_line_length, after which you get back an empty response as Elasticsearch closes the connection


(Caixia Chi) #9

OK, thanks a lot for the input! It's quite helpful!
If http.max_content_length is exceeded, will the connections be closed too?


(Clinton Gormley) #10

Yes it will


(system) #11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.