Amazon cloud attackers install DDoS bots ...
FYI...
Amazon cloud attackers install DDoS bots ...
Attackers are targeting Amazon EC2 instances with Elasticsearch 1.1.x installed
- https://www.computerworld.com/s/arti...earch_weakness
July 28, 2014 - "Attackers are exploiting a vulnerability in distributed search engine software Elasticsearch to install DDoS malware on Amazon and possibly other cloud servers. Elasticsearch is an increasingly popular open-source search engine server developed in Java that allows applications to perform full-text search for various types of documents through a REST API (representational state transfer application programming interface). Because it has a distributed architecture that allows for multiple nodes, Elasticsearch is commonly used in cloud environments. It can be deployed on Amazon Elastic Compute Cloud (EC2), Microsoft Azure, Google Compute Engine and other cloud platforms. Versions 1.1.x of Elasticsearch have support for active scripting through API calls in their default configuration. This feature poses a security risk because it doesn't require authentication and the script code is -not- sandboxed. Security researchers reported earlier this year that attackers can exploit Elasticsearch's scripting capability to execute arbitrary code on the underlying server, the issue being tracked as CVE-2014-3120* in the Common Vulnerabilities and Exposures (CVE) database. Elasticsearch's developers haven't released a patch for the 1.1.x branch, but starting with version 1.2.0, released on May 22, dynamic scripting is disabled by default. Last week security researchers from Kaspersky Lab** found new variants of Mayday, a Trojan program for Linux that's used to launch distributed denial-of-service (DDoS) attacks. The malware supports several DDoS techniques, including DNS amplification. One of the new Mayday variants was found running on compromised Amazon EC2 server instances, but this is not the only platform being misused... Users of Elasticsearch 1.1.x should upgrade to a newer version and those who require the scripting functionality should follow the security recommendations made by the software's developers in a blog post*** on July 9."
* https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-3120 - 6.8
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-4326 - 7.5 (HIGH)
- http://www.elasticsearch.org/blog/logstash-1-4-2/
Jun 24
Changelog for 1.4.2
- https://github.com/elasticsearch/log...ster/CHANGELOG
** https://securelist.com/blog/virus-wa...os-and-profit/
*** http://www.elasticsearch.org/blog/scripting-security/
- https://www.found.no/foundation/elas...-elasticsearch
Insecure default in Elasticsearch enables remote code execution
- http://bouk.co/blog/elasticsearch-rce/
May 2014 - "... How to secure against this vulnerability..."
___
>> http://www.rapid7.com/db/modules/exp...cript_mvel_rce
___
- http://atlas.arbor.net/briefs/index#-961013762
High Severity
31 Jul 2014
