Easily Exploited Elastic Stack API Security Flaw Exposes Data
Elastic Stack is common and widely used—that makes an API vulnerability particularly dangerous to nearly every organization that employs the group of open source products.
“Our latest API security research underscores how prevalent and potentially dangerous API vulnerabilities are. Elastic Stack is widely used and secure, but Salt Labs observed the same architectural design mistakes in almost every environment that uses it,” explained Roey Eliyahu, co-founder and CEO at Salt Security.
The vulnerability, Eliyahu said, “can lead to the exposure of sensitive data that can be used to perpetuate serious fraud and abuse, creating substantial business risk.”
API attacks are exploding, ticking up 348% over the last six months, the Salt Security State of API Security Report, Q3 2021 found. The flaws, coupled with a rise of business-critical APIs, can create ample opportunity for miscreants as organizations integrate third-party apps and services.
“Understanding the risks posed by APIs in your infrastructure is key in the journey to minimizing your risk surface by implementing zero-trust across your infrastructure,” said Hank Schless, senior manager, security solutions, Lookout. “While there’s no silver bullet to solving the challenges of zero-trust—which is a constantly evolving battle—this type of visibility is a small but very important part of that journey that organizations need to be sure they’re solving for.”
Elastic Stack: Notorious for Data Risk
It is not the first time the popular stack has been called out for putting data at risk. “The Elastic Stack is notorious for excessive data exposure. A few years ago—and by default—data was exposed publicly. Since then, as mentioned by Salt Security, the defaults have changed,” said Jon Gaines, senior application security consultant at nVisium. “Keep in mind, this doesn’t mean that older versions aren’t grandfathered in or that minor configuration changes can’t lead to both of these newly unearthed vulnerabilities.”
Salt’s researchers looked at a large business-to-consumer (B2C) online platform that offers API-based mobile apps and software as-a-service to millions of users worldwide.
Salt Labs’ deep dive into Elastic injection attacks in its API Threat Research: Elastic Injection report demonstrated how much more dangerous the design implementation vulnerabilities can be when multiple exploits are strung together. Researchers found a lack of authorization between frontend and backend services.
“Simply speaking, the technology stack of the application, interfacing systems and APIs were implemented in such a way that the system did not verify who is submitting queries against it and whether they were authorized to receive the requested data,” the report said. “The back-end services simply processed queries submitted to it via front-end consumers or API clients, such as a user running a mobile application or web application in a browser. Once attackers have obtained a working user account with basic permission levels, they can begin to make educated guesses about the schema of back-end data stores and query for data they aren’t authorized to receive.”
Providing Cover for DoS Attacks
Because resource limitations are lacking, an organization’s backend services could be vulnerable to a denial of service (DoS) attack that could take a service out or provide cover for malicious activities.
Researchers were able to access a trove of sensitive data that included account numbers and transaction confirmation numbers. Not only could organizations run afoul of GDPR, but the exposed data also opens a world of possibilities for attackers from booking new services to identity theft.
“Unfortunately, the technical barrier of these vulnerabilities is extremely low,” said Gaines. “As a result, the risk of a bad guy discovering and exploiting these vulnerabilities is high.” Just how severe the flaws are, he said, “depends on what the organizations themselves have exposed or allowed in terms of permissions.”
While not a vulnerability within Elastic Stack itself, Salt Security technical evangelist Michael Isbitski said that the design implementation flaws that researchers observed “introduce just as much risk.”
The research shows “how critical it is to architect application environments correctly,” he said. “Every organization should evaluate the API integrations between its systems and applications since they directly impact the company’s security posture.”
Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber urged other Elastic Stack users to “check their own implementations for this misconfiguration and not repeat the same mistake.”
Exposed customer data and denial of service attacks can “do significant material damage to hacked targets,” he said. “Exploit of this vulnerability is avoidable, but it must be remediated quickly.”