===============================
                   - Advisory -
          ===============================

  Tittle:   ElasticSearch cloud-azure plugin - Indexes content transmitted in cleartext
    Risk:   Medium/Low
    Date:   16.Sept.2015
  Author:   Pedro Andujar
 Twitter:   @pandujar


.: [ INTRO ] :.

Elasticsearch is a search server based on Lucene. It provides a distributed, multitenant-capable full-text 
search engine with a RESTful web interface and schema-free JSON documents. Elasticsearch is developed in 
Java and is released as open source under the terms of the Apache License.

ElasticSearch comes with Snapshot and Restore capabilities to use as backup. Cloud-azure plugin enables ELK 
to store the indexes snapshots into Azure blobs. Affected versions: ElasticSearch 1.7.2 and prior. 


.: [ TECHNICAL DESCRIPTION ] :.

Azure recommendation:
"The Microsoft Azure storage services support both HTTP and HTTPS; however, using HTTPS is highly recommended."

Insecure Client Implementation:
The connection string for ELK cloud-azure plugin contains hardcoded http url with the lack of encryption and 
certificate validation, therefore its prone to sniffing and MiTM attacks. A potential attacker with the required
access to the network traffic would be able to intercept the content of the indexes snapshots.

It's a good thing that Azure uses SharedKey authentication, so the account key is not sent directly through
http traffic, instead it sends hmac-sha256 signature of the http headers (using the account key) for each
request. 

Affected Src:
elasticsearch/plugins/cloud-azure/src/main/java/org/elasticsearch/cloud/azure/storage/AzureStorageServiceImpl.java

    @Inject
    public AzureStorageServiceImpl(Settings settings) {
        super(settings);
        // We try to load storage API settings from `cloud.azure.`
        account = settings.get(ACCOUNT);
        key = settings.get(KEY);
        blob = "http://" + account + ".blob.core.windows.net/";

        try {
            if (account != null) {
                logger.trace("creating new Azure storage client using account [{}], key [{}], blob [{}]", account, key, blob);

                String storageConnectionString =
                        "DefaultEndpointsProtocol=http;"
                                + "AccountName="+ account +";"
                                + "AccountKey=" + key;

                // Retrieve storage account from connection-string.
                CloudStorageAccount storageAccount = CloudStorageAccount.parse(storageConnectionString);




.: [ CHANGELOG ] :.

  * 10/Sept/2015:   - Security at Elastic contacted.
  * 10/Sept/2015:   - Security at Elastic ack.
  * 12/Sept/2015:   - Elastic replies confirming they plan to fix. But is under their risk threshold 
		      to be considered a vulnerability. 
  * 15/Sept/2015:   - Quick workarround: https://github.com/elastic/elasticsearch/pull/13573
  * 16/Sept/2015:   - Authorized to disclose.


.: [ SOLUTIONS ] :.

Apply the following quickfix:
https://github.com/elastic/elasticsearch/pull/13573

Consider changing your account name and key. 
Evaluate possible indirect impact due to stored information.


.: [ REFERENCES ] :.

   [+] CWE-319: Cleartext Transmission of Sensitive Information
    https://cwe.mitre.org/data/definitions/319.html

   [+] OWASP 2010-A9-Insufficient Transport Layer Protection
    https://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection

   [+] ELK Security
    https://www.elastic.co/community/security

   [+] Azure SharedKey Auth
    https://msdn.microsoft.com/en-us/library/azure/dd179428.aspx

   [+] !dSR - Digital Security Research
    http://www.digitalsec.net/




                    -=EOF=-