Auth Bypass in Elasticsearch
How Auth Bypass Manifests in Elasticsearch
Elasticsearch auth bypass vulnerabilities typically emerge through misconfigured security settings, exposed endpoints, and flawed access control implementations. The most common manifestation occurs when Elasticsearch instances are deployed with default configurations that disable security features entirely.
// Vulnerable configuration exposing unprotected endpoints
{
"http": {
"enabled": true,
"bind_host": "0.0.0.0",
"publish_host": "0.0.0.0"
},
"network": {
"host": "0.0.0.0"
},
"xpack": {
"security": {
"enabled": false // <--- Critical vulnerability
}
}
}
This configuration allows anyone on the network to access the Elasticsearch cluster without authentication. Attackers can perform unrestricted searches, modify data, or delete indices. The _search endpoint becomes completely open:
# No authentication required
curl -X GET "http://elasticsearch:9200/my_index/_search?q=*:*"
Another common auth bypass pattern involves misconfigured cross-cluster search. When action.search.allow_remote_access is enabled without proper authentication, attackers can query data across clusters:
// Vulnerable cross-cluster configuration
{
"cluster": {
"remote": {
"other_cluster": {
"seeds": ["other-cluster-node:9300"]
}
}
},
"action": {
"search": {
"allow_remote_access": true // <--- No auth required
}
}
}
Elasticsearch also suffers from BOLA (Broken Object Level Authorization) vulnerabilities where index-level permissions are improperly enforced. An authenticated user might access indices they shouldn't see:
# User A shouldn't access User B's data
curl -X GET "http://elasticsearch:9200/user_b_orders/_search"
Script-based auth bypasses represent another critical vector. Elasticsearch's script engine can be exploited when dynamic scripting is enabled:
// Vulnerable script configuration
{
"script": {
"inline": {
"sandbox_mode": false
},
"stored": {
"sandbox_mode": false
}
}
}
Attackers can craft malicious scripts that bypass authentication checks or escalate privileges by executing arbitrary code within the Elasticsearch JVM.
Elasticsearch-Specific Detection
Detecting auth bypass in Elasticsearch requires both configuration analysis and runtime endpoint testing. Start with configuration scanning to identify exposed endpoints and disabled security features:
# Check for exposed endpoints
curl -s http://elasticsearch:9200/_cluster/health?pretty
curl -s http://elasticsearch:9200/_nodes/http?pretty
# Test for authentication bypass
curl -s -o /dev/null -w "%{http_code}" http://elasticsearch:9200/
A 200 response without authentication indicates a critical vulnerability. For deeper analysis, examine the cluster's security configuration:
# Check X-Pack security status
curl -s http://elasticsearch:9200/_xpack/security/_status
# Test index-level permissions
curl -s -X GET "http://elasticsearch:9200/_security/role_mapping/"/
middleBrick's Elasticsearch-specific scanning tests the unauthenticated attack surface by attempting requests to all HTTP endpoints and analyzing responses for authentication bypass indicators. The scanner checks:
| Endpoint Tested | Authentication Check | Expected Result |
|---|---|---|
| /_search | Unauthenticated GET | 401/403 |
| /_cluster/health | Unauthenticated GET | 401/403 |
| /_nodes | Unauthenticated GET | 401/403 |
| /_security/role_mapping | Unauthenticated GET | 401/403 |
For script-based vulnerabilities, test dynamic scripting capabilities:
# Test for script engine bypass
curl -X POST "http://elasticsearch:9200/test_index/_search" -H 'Content-Type: application/json' -d '{
"query": {
"script": {
"script": "1 + 1"
}
}
}'
Successful execution without authentication indicates a severe vulnerability. Also test for cross-cluster search bypass:
# Test cross-cluster auth bypass
curl -X POST "http://elasticsearch:9200/_search" -H 'Content-Type: application/json' -d '{
"query": {
"match_all": {}
},
"size": 1
}'
middleBrick's black-box scanning approach tests these endpoints without requiring credentials, simulating the perspective of an unauthenticated attacker. The scanner provides severity ratings and specific remediation guidance for each discovered vulnerability.
Elasticsearch-Specific Remediation
Remediating Elasticsearch auth bypass requires implementing proper security configurations and access controls. Start by enabling X-Pack security if using Elasticsearch's built-in security features:
# Enable security in elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true
For production deployments, configure role-based access control with minimal necessary permissions:
// Define security roles in elasticsearch.yml
{
"role1": {
"cluster": ["read"],
"indices": [
{
"names": ["index1", "index2"],
"privileges": ["read"]
}
]
}
}
Disable dynamic scripting to prevent script-based auth bypasses:
# elasticsearch.yml configuration
script.inline: false
script.stored: false
script.file: false
script.expression: false
script.mustache: false
Configure network-level access controls to restrict Elasticsearch access to trusted networks:
# elasticsearch.yml - bind to specific interfaces
network.host: ["localhost", "192.168.1.100"]
http.port: 9200
Implement authentication using native users or external authentication providers:
# Create users with minimal privileges
bin/elasticsearch-users useradd admin -p changeme -r superuser
bin/elasticsearch-users useradd reader -p changeme -r readall
For cross-cluster search, implement proper authentication and authorization:
// Secure cross-cluster configuration
{
"cluster": {
"remote": {
"other_cluster": {
"seeds": ["other-cluster-node:9300"],
"transport": {
"ssl": {
"verification_mode": "full"
}
}
}
}
},
"action": {
"search": {
"allow_remote_access": true
}
}
}
Regularly audit security configurations and monitor for unauthorized access attempts:
# Monitor authentication logs
curl -X GET "http://elasticsearch:9200/_security/_authenticate"
# Audit trail configuration
xpack.security.audit.enabled: true
xpack.security.audit.outputs: ["logfile", "stdout"]
middleBrick's continuous monitoring can automatically detect when security configurations regress, providing alerts when auth bypass vulnerabilities reappear in your Elasticsearch deployment.
Related CWEs: authentication
| CWE ID | Name | Severity |
|---|---|---|
| CWE-287 | Improper Authentication | CRITICAL |
| CWE-306 | Missing Authentication for Critical Function | CRITICAL |
| CWE-307 | Brute Force | HIGH |
| CWE-308 | Single-Factor Authentication | MEDIUM |
| CWE-309 | Use of Password System for Primary Authentication | MEDIUM |
| CWE-347 | Improper Verification of Cryptographic Signature | HIGH |
| CWE-384 | Session Fixation | HIGH |
| CWE-521 | Weak Password Requirements | MEDIUM |
| CWE-613 | Insufficient Session Expiration | MEDIUM |
| CWE-640 | Weak Password Recovery | HIGH |
Frequently Asked Questions
What makes Elasticsearch auth bypass different from other API auth bypass vulnerabilities?
Elasticsearch auth bypass often involves default configurations that disable security entirely, rather than implementation flaws in authentication logic. The vulnerability typically manifests as exposed endpoints with no authentication required, making it immediately exploitable without credentials. Elasticsearch's powerful query capabilities mean that successful auth bypass can lead to complete data exposure or deletion across all indices.
How can I test my Elasticsearch instance for auth bypass vulnerabilities?
Test by attempting unauthenticated requests to all HTTP endpoints. A successful response to /_search, /_cluster/health, or /_nodes indicates auth bypass. Use tools like curl to test: curl -s http://your-elasticsearch:9200/_search. If you get a 200 response without authentication, you have a critical vulnerability. middleBrick can automate this testing across all endpoints in seconds.