If the Elastic/Fleet server is compromised, can the compromise be leveraged to gain access to the systems running endpoint agents?
For example, can you push a malicious update to endpoint agents?
This software is a critical component. If an attacker gains access, he could find out valuable information about your system. Even if he'd not be able to deploy malware - make sure you do everytginh to secure the environment:
- use specific and seperated admin accounts
- try to isolate the network
- use MFA where ever possible
- strictly monitor access to the system itself (elasticsearch servers)
The aim shoul be to prevent access.
And to answer the question - i can find about 90 CVE's in the context of "elasticsearch" . Some of them like "which could allow unprivileged users to elevate their privileges "
So esp. monitoring systems are a big risk.
The risk of information disclosure has been taken into account (it's self explanatory) but not the compromise of systems via the agent.
I need to assess the likelihood of the agent being used to run commands on the remote machines. If it's a built in feature then the risk is very high, if steps have been taken to prevent it then it's much lower.
The agent has an update feature, can that be abused to send a malicious update to compromise the machines?
Are there any other features like sending commands to the agents that could be used to compromise the machines?
The Elastic Defend integration has a capabilities called Response Actions: get file, put file, execute file...
These actions are always sent signed. To forge them the attacker would need to gain deeper access to the stack than just the Fleet server.
2 Likes
A more likely attack vector (i.m.h.o.) is a compromised account with access to the response console (kibana).
You don't need to compromise the fleet server if you are able to use the features as they are intended.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.