Researchers on Wednesday reported on an API vulnerability that results from a bad implementation of Elastic Stack, a group of open source products that use APIs for data aggregation, search and analytics.
In a blog post, researchers at Salt Security's Salt Labs found that nearly every organization that uses Elastic Stack is affected by this API vulnerability, making users susceptible to injection attacks. The researchers say threat actors can use injection attacks to exfiltrate data and launch denial of service (DoS) attacks.
According to the researchers, exploits that take advantage of the vulnerability can create API threats that correspond to common API security issues described in the OWASP API Security Top 10, including: excessive data exposure, lack of resources and rate limits, security misconfigurations, and susceptibility to injection attacks due to a lack of input filtering.
Salt Security wants to ensure it's clear that the elastic injection vulnerability we see in our customers' environments has not been caused by a vulnerability in Elastic Stack’s software itself, said Michael Isbitski, technical evangelist at Salt Security.
“Rather, the vulnerability results from a common risky implementation setup by users,” explained Isbitski. “The lack of awareness around potential misconfigurations, misimplementations, and cluster exposures is largely a community issue that can be solved only through research and education.”
Yaniv Bar-Dayan, co-founder and CEO at Vulcan Cyber, further explained that Salt Security has identified a “notable vulnerability” in a massive B2C cloud service caused by the service’s misconfiguration of Elastic Stack.
“Other users of Elastic Stack should check their own implementations for this misconfiguration and not repeat the same mistake,” said Bar-Dayan. “We’ve all seen exposed customer data and denial of service attacks do significant material damage to hacked targets. Exploit of this vulnerability is avoidable, but must be remediated quickly.”
Securing APIs and understanding how they’re being used, or abused, has become an important part of keeping data safe in cloud-based apps and infrastructure, said Hank Schless, senior manager, security solutions at Lookout. Just like any other integrated or connected technology, Schless said IT and security teams need to have visibility into how data flows through APIs, whether they’re properly configured, and how they behave.
“Advanced cloud access security broker solutions can help in mitigating the risk of misconfigured or abused APIs,” Schless said. “Cloud security posture management and SaaS security posture management are aspects of many CASB solutions that helps admins understand whether a SaaS or IaaS app’s APIs are configured correctly. This is often done according to known best practices and industry benchmarks, such as those from the Center for Internet Security. It’s just as important to understand the behavior of the API and the data it helps move, which user and entity behavior analytics can help grant visibility into.”
In spite of what their owners might think, all APIs have vulnerabilities, said David Stewart, CEO at Approov.
“Each vulnerability can likely be exploited by an automated script and this research demonstrates once again the ease with which it can done,” Stewart said. “During the continuous process of finding and fixing vulnerabilities, every organization must protect their APIs from scripting attacks. In other words: shield right while you shift left."