FreeBSD : elasticsearch and logstash -- remote OS command execution via dynamic scripting (43ac9d42-1b9a-11e5-b43d-002590263bf5)

medium Nessus Plugin ID 84411

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Elastic reports :

Vulnerability Summary: In Elasticsearch versions 1.1.x and prior, dynamic scripting is enabled by default. This could allow an attacker to execute OS commands.

Remediation Summary: Disable dynamic scripting.

Logstash 1.4.2 was bundled with Elasticsearch 1.1.1, which is vulnerable to CVE-2014-3120. These binaries are used in Elasticsearch output specifically when using the node protocol. Since a node client joins the Elasticsearch cluster, the attackers could use scripts to execute commands on the host OS using the node client's URL endpoint.
With 1.4.3 release, we are packaging Logstash with Elasticsearch 1.5.2 binaries which by default disables the ability to run scripts. This also affects users who are using the configuration option embedded=>true in the Elasticsearch output which starts a local embedded Elasticsearch cluster. This is typically used in development environment and proof of concept deployments. Regardless of this vulnerability, we strongly recommend not using embedded in production.

Note that users of transport and http protocol are not vulnerable to this attack.

Solution

Update the affected packages.

See Also

https://www.elastic.co/community/security

https://www.elastic.co/blog/elasticsearch-1-2-0-released

https://www.elastic.co/blog/logstash-1-4-3-released

https://bouk.co/blog/elasticsearch-rce/

http://www.nessus.org/u?27fc4ce3

http://www.nessus.org/u?6702767b

http://www.nessus.org/u?a8f9d692

Plugin Details

Severity: Medium

ID: 84411

File Name: freebsd_pkg_43ac9d421b9a11e5b43d002590263bf5.nasl

Version: 2.9

Type: local

Published: 6/26/2015

Updated: 3/28/2022

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:elasticsearch, p-cpe:/a:freebsd:freebsd:logstash, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/26/2015

Vulnerability Publication Date: 5/22/2014

CISA Known Exploited Vulnerability Due Dates: 4/15/2022

Exploitable With

Metasploit (ElasticSearch Dynamic Script Arbitrary Java Execution)

Reference Information

CVE: CVE-2014-3120

BID: 67731