Critical Risk on Elasticsearch 9200 / tcp / www Reported by Nessus

caixiac1 · May 22, 2017, 6:39am

I used Nessus to scan Elaticsearch server, it reports there is one Critical risk on Elasticsearch issue:

Severity Plugin Id Name
Critical (10.0) 10169 OpenLink Web Configurator GET Request Remote Overflow

For this OpenLink Web Configurator GET Request Remote Overflow, Nessus reports that:

Synopsis :The remote web server has an application that is affected by a bufferoverflow vulnerability.
Description :It is possible to crash the remote web server by sending overly longGET requests. An attacker may exploit this issue to crash the remoteweb server or execute arbitrary code on the remote system.

Are there any analysis and planned solutions for this issue in the forum?
.

Thanks!

dadoonet · May 23, 2017, 2:25am

Hey

Thanks for opening this. Could you send your question to security (at) elastic (dot) co so folks can check and answer you directly?

In this email can you describe which API endpoint is concerned?

Thanks a lot

warkolm · May 23, 2017, 3:04am

This appears to be related to this CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0943.

But ES is not OpenLink, so I think this is a false positive.

caixiac1 · May 23, 2017, 6:54am

"OpenLink web config buffer overflow" is a type of issues when Nessus sends large GET requests to specific directory of web server and web server responded with non-NULL response. It's not necessarily related with OpenLink software. The following is source code of Nessus plugin 10169. Are there max-length message limitation for requests sent to Elasticsearch? Will it always process it? This is the issue why Nessus reports it.

https://searchcode.com/codesearch/raw/39217884/

This script was written by Renaud Deraison deraison@cvs.nessus.org

See the Nessus Scripts License for details

if(description)
{
script_id(10169);
script_version ("$Revision: 1.18 $");
script_cve_id("CVE-1999-0943");
name["english"] = "OpenLink web config buffer overflow";
name["francais"] = "D閜assement de buffer dans la config web de OpenLink";
script_name(english:name["english"], francais:name["francais"]);

desc["english"] = "It is possible to make the remote server execute
arbitrary code by sending one of these two URLs :

GET AAA[....]AAA
GET /cgi-bin/testcono?AAAAA[...]AAA HTTP/1.0

Solution : Upgrade.
Risk factor : High";

desc["francais"] = "Il est possible de faire executer du code arbitraire
au serveur en lui envoyant une des requ?tes :

GET AAAA[...]AAA
GET /cgi-bin/testcono?AAAAA[...]AAA HTTP/1.0

Solution : Mettez le ? jour.
Facteur de risque : Elev�";

script_description(english:desc["english"], francais:desc["francais"]);

summary["english"] = "OpenLink buffer overflow";
summary["francais"] = "D閜assement de buffer dans OpenLink";
script_summary(english:summary["english"], francais:summary["francais"]);

script_category(ACT_DESTRUCTIVE_ATTACK);

script_copyright(english:"This script is Copyright (C) 1999 Renaud Deraison",
francais:"Ce script est Copyright (C) 1999 Renaud Deraison");
family["english"] = "Gain root remotely";
family["francais"] = "Passer root ? distance";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes", "httpver.nasl");
script_require_ports(8000);
script_exclude_keys("Settings/disable_cgi_scanning");
exit(0);
}

The script code starts here

include("http_func.inc");

port = 8000;
if(get_port_state(port))
{
if(http_is_dead(port:port))exit(0);

data = http_get(item:crap(4096), port:port);
soc = http_open_socket(port);
if(soc)
{
send(socket:soc, data:data);
b = recv_line(socket:soc, length:1024);
http_close_socket(soc);
if(!b){
security_hole(port);
exit(0);
}
}
else exit(0);

foreach dir (cgi_dirs())
{
soc2 = http_open_socket(port);
if(soc2)
{
data = http_get(item:string(dir, "/testcono?", crap(2000)), port:port);
send(socket:soc, data:data);
c = recv_line(socket:soc, length:1024);
http_close_socket(soc);
if(!strlen(c)){
security_hole(port);
exit(0);
}
}
}
}

warkolm · May 23, 2017, 7:13am

What version of ES are you on?

caixiac1 · May 23, 2017, 7:16am

We are in 2.4.1 now, are there max length limitation/configuration on incoming requests in later releases?
We have plan to move to 5.2.1 in later releases.

warkolm · May 23, 2017, 7:19am

There is http.max_content_length https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-http.html, which defaults to 100 megs.

Clinton_Gormley · May 23, 2017, 7:26am

There is also http.max_initial_line_length which defaults to 4kB.

This report is bogus. You can't use a test built for openlink to test anything about elasticsearch. Just try the actual requests the script is sending and you'll see that you get back an error message until you pass the max_initial_line_length, after which you get back an empty response as Elasticsearch closes the connection

caixiac1 · May 23, 2017, 7:36am

OK, thanks a lot for the input! It's quite helpful!
If http.max_content_length is exceeded, will the connections be closed too?

Clinton_Gormley · May 23, 2017, 8:55am

Yes it will

system · June 20, 2017, 8:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.