CVE-2024-23444 - Elasticsearch-certutil tool saving unencrypted private keys for Certificate Signing Requests even with --pass option enabled
---
The world of cybersecurity is constantly evolving, with multiple vulnerabilities appearing constantly. Recently, there has been a discovery by Elastic engineering, which deals with a vulnerability in the Elasticsearch-certutil CLI tool's handling of private key generation. Elastic has assigned the CVE number CVE-2024-23444 to this issue.
This vulnerability has been found to affect the Elastic Stack security in versions 7.10 to 7.14 inclusive. When using the elasticsearch-certutil CLI tool with the csr option to create a new Certificate Signing Request (CSR), the associated private key generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation.
An attacker who gains access to the elasticsearch-certutil CLI tool may be able to exfiltrate private keys, use it to decrypt traffic between nodes, or compromise other components that use the same private key, such as Kibana or Logstash.
Exploit Details
The Elasticsearch-certutil CLI tool can be exploited by making use of the csr option, as shown below:
./bin/elasticsearch-certutil csr --name mycluster --dns localhost --ip 127...1 --pass [some password]
By exploiting this vulnerability, an attacker can access the unencrypted private keys and use them for malicious intentions.
Original References
Elastic has acknowledged the vulnerability and provided official patches for this issue. Users are advised to upgrade their Elastic Stack security version to either 7.14.1 or 7.15..
For more information about this vulnerability, you can refer to the official Elastic security advisory, found here: CVE-2024-23444 Elasticsearch-certutil CLI tool vulnerability.
Mitigation Measures
For users who cannot immediately upgrade to the fixed Elastic Stack security version, there are alternative mitigation measures available:
1. When generating a CSR with the elasticsearch-certutil CLI tool, use the -metadata flag to encrypt the private key, like so:
`bash
./bin/elasticsearch-certutil csr --name mycluster --dns localhost --ip 127...1 --pass [somepassword] -metadata
`
2. After creating a CSR, ensure that the associated private key file is securely destroyed or encrypted with appropriate tools.
3. Examine and monitor the environment and file system containing the Elasticsearch configuration files and key files. Verify that unauthorized access to these files is not possible.
In summary, the Elastic engineering team has identified a vulnerability in the elasticsearch-certutil CLI tool, CVE-2024-23444, where the associated private keys are stored on disk unencrypted even when the --pass parameter is specified. It is highly advised to either upgrade to a patched Elastic Stack security version or follow the mitigation measures provided above. By doing so, you will protect your Elastic Stack components, such as Elasticsearch, Kibana, or Logstash, from unauthorized access or compromise.
Timeline
Published on: 07/31/2024 18:15:11 UTC
Last modified on: 08/01/2024 12:42:36 UTC