FreeBSD : elasticsearch and logstash -- remote OS command execution via dynamic scripting (43ac9d42-1b9a-11e5-b43d-002590263bf5)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Elastic reports :

Vulnerability Summary: In Elasticsearch versions 1.1.x and prior,
dynamic scripting is enabled by default. This could allow an attacker
to execute OS commands.

Remediation Summary: Disable dynamic scripting.

Logstash 1.4.2 was bundled with Elasticsearch 1.1.1, which is
vulnerable to CVE-2014-3120. These binaries are used in Elasticsearch
output specifically when using the node protocol. Since a node client
joins the Elasticsearch cluster, the attackers could use scripts to
execute commands on the host OS using the node client's URL endpoint.
With 1.4.3 release, we are packaging Logstash with Elasticsearch 1.5.2
binaries which by default disables the ability to run scripts. This
also affects users who are using the configuration option
embedded=>true in the Elasticsearch output which starts a local
embedded Elasticsearch cluster. This is typically used in development
environment and proof of concept deployments. Regardless of this
vulnerability, we strongly recommend not using embedded in production.

Note that users of transport and http protocol are not vulnerable to
this attack.

See also :

https://www.elastic.co/community/security
https://www.elastic.co/blog/elasticsearch-1-2-0-released
https://www.elastic.co/blog/logstash-1-4-3-released
http://bouk.co/blog/elasticsearch-rce/
http://www.nessus.org/u?6b654c41
http://www.nessus.org/u?6702767b
http://www.nessus.org/u?24cc3882

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.3
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 84411 ()

Bugtraq ID: 67731

CVE ID: CVE-2014-3120

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now