RoR with SSO is allowing to see all data with /_search/template (should not be possible)

Hi there,

We are using ES 6.5.0 with readonlyrest-1.20.0_es. (also tested in DEV with newest version readonlyrest-1.22.1_es6.5.0 and issue still there)
With the configuration listed below, we are facing quite serious security issue in PROD, when data are available across applications using /_search/template API and with SSO shouldn’t be accessible.

_search API is with single-sign-on blocked with 401 with same user and settings (which is expected)

Steps to reproduce:

RoR configuration (in puppet):

readonlyrest:
    ldaps:    
        all:
            no_backend: true
            groups: "[\"CHR-GP-SV-INL-P-Elasticservice-Prod\"]"
            indexes: "[\"*\"]" 
            actions: "[\"*\"]"
 
        dna:
                no_ldap: true
                no_backend: true
                groups: "[\"CHR-GP-SV-INL-P-ElasticserviceDna-Prod\", \"CHR-GP-SV-DNA-P-USER-Prod\", \"CHR-GP-SV-DNA-P-ADMIN-Prod\", \"CHR-GP-SV-DNA-P-OVERALL-Prod\"]"
                indexes: "[\"dna_*\"]" 
                actions: "[\"indices:data/read/*\", \"cluster:monitor/state\", \"indices:admin/get\", \"indices:admin/mappings/fields/get\", \"indices:admin/mappings/get\", \"indices:admin/aliases/get\", \"indices:admin/template/get\"]"

readonlyrest.yml

readonlyrest:
    access_control_rules:
    - name: "LDAP - all - Kibana"
      type: allow
      ldap_auth:
        name: "ldap1"
        groups: ["CHR-GP-SV-INL-D-Elasticservice-Dev"]
      indices: [".kibana*"]
      actions: ["indices:data/read/*","indices:data/write/*"]
    - name: "LDAP - all"
      type: allow
      ldap_auth:
        name: "ldap1"
        groups: ["CHR-GP-SV-INL-D-Elasticservice-Dev"]
      indices: ["*"]
      actions: ["*"]

    - name: "Proxy - all - Kibana"
      type: allow
      headers: ["X-Auth-Key:..."]
      proxy_auth:
        proxy_auth_config: "proxy1"
        users: ["*"]
      ldap_authorization:
        name: "ldap1"
        groups: ["CHR-GP-SV-INL-D-Elasticservice-Dev"]
      indices: [".kibana*"]
      actions: ["indices:data/read/*","indices:data/write/*"]

    - name: "Proxy - all"
      type: allow
      headers: ["X-Auth-Key:..."]
      proxy_auth:
        proxy_auth_config: "proxy1"
        users: ["*"]
      ldap_authorization:
        name: "ldap1"
        groups: ["CHR-GP-SV-INL-D-Elasticservice-Dev"]
      indices: ["*"]
      actions: ["*"]


- name: "Proxy - dna - Kibana"
      type: allow
      headers: ["X-Auth-Key:..."]
      proxy_auth:
        proxy_auth_config: "proxy1"
        users: ["*"]
      ldap_authorization:
        name: "ldap1"
        groups: ["CHR-GP-SV-INL-D-ElasticserviceDna-Dev", "CHR-GP-SV-DNA-P-USER-Dev", "CHR-GP-SV-DNA-P-ADMIN-Dev"]
      indices: [".kibana*"]
      actions: ["indices:data/read/*","indices:data/write/*"]

    - name: "Proxy - dna"
      type: allow
      headers: ["X-Auth-Key:..."]
      proxy_auth:
        proxy_auth_config: "proxy1"
        users: ["*"]
      ldap_authorization:
        name: "ldap1"
        groups: ["CHR-GP-SV-INL-D-ElasticserviceDna-Dev", "CHR-GP-SV-DNA-P-USER-Dev", "CHR-GP-SV-DNA-P-ADMIN-Dev"]
      indices: ["dna_*"]
      actions: ["indices:data/read/*", "cluster:monitor/state", "indices:admin/get", "indices:admin/mappings/fields/get", "indices:admin/mappings/get", "indices:admin/aliases/get", "indices:admin/template/get"]


  proxy_auth_configs:
    - name: proxy1
      user_id_header: "X-Forwarded-User"

 ldaps:
    - name: ldap1
      host: "...."
      port: ....
      ssl_enabled: true
      ssl_trust_all_certs: true
      bind_dn: "CN=tecinld1,OU=TEC,OU=SpecialUser,DC=corp,DC=gwpnet,DC=com"
      bind_password: "...."
      search_user_base_DN: "DC=corp,DC=gwpnet,DC=com"
      user_id_attribute: "samaccountname"
      search_groups_base_DN: "DC=corp,DC=gwpnet,DC=com"
      unique_member_attribute: "member"
      connection_pool_size: 10
      connection_timeout_in_sec: 10
      request_timeout_in_sec: 10
      cache_ttl_in_sec: 60
      group_search_filter: "(objectClass=group)"
      group_name_attribute: "cn"

I’m NOT part of any mentioned group:

  • CHR-GP-SV-INL-P-Elasticservice-Prod
  • CHR-GP-SV-INL-P-ElasticserviceDna-Prod
  • CHR-GP-SV-DNA-P-ADMIN-Prod
  • CHR-GP-SV-DNA-P-OVERALL-Prod - this has 5000+ participants
  • CHR-GP-SV-DNA-P-USER-Prod - this group is no longer available (not existing)

In that configuration _search API returns 401 (which is expected)
GET dna_master_v1/_search

but _search/template against dna_* index returns data I should not see

GET dna_master_v1/_search/template
{
  "id":"dna_filter_v1",
  "params": {
    "search_string":"*"
  }
}

{
  "took" : 5131,
  "timed_out" : false,
  "_shards" : {
    "total" : 3,
    "successful" : 3,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 704833,
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "dna_master_v1",
        "_type" : "default",
        "_id" : "2881",
        "_score" : 1.0,
        "_source" : {
          "summary" : "Kick off conf ...

Can you please help us understanding, what is wrong there?
It looks, that this is related to RoR only.

In the log, access to all indices is logged (IDX:*)
[INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [elasticservice-client-03] e[36mALLOWED by { name: 'Proxy - dowjones - Kibana', policy: ALLOW, rules: [proxy_auth,ldap_authorization,headers_and,actions,indices] req={ ID:30181286-653783344#4501833, TYP:SearchTemplateRequest, CGR:N/A, USR:s48qaf, BRS:false, KDX:null, ACT:indices:data/read/search/template, OA:10.62.28.9/32, XFF:x-forwarded-for=10.92.58.220, DA:10.92.58.228/32, IDX:*, MET:POST, PTH:/dna_master_v1/_search/template, CNT:<OMITTED, LENGTH=70.0 B> , HDR:Authorization=<OMITTED>, Connection=close

Thank you for your quick response in advance.
Dominik

@astrodi could you check please this build and let me know if the issue is still there?

https://readonlyrest-data.s3.amazonaws.com/build/1.23.0-pre7/readonlyrest-1.23.0-pre7_es6.5.0.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5SJIWBO54AGBERLX/20200916/eu-west-1/s3/aws4_request&X-Amz-Date=20200916T191741Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=0130bdd71ba01bc4b3cffd717adb81faab4fb0f5792cc50f34b6ebd22a853607

Unfortunately, issue is still present even with newest build 1.23.0-pre7 (installed, tested - same issue still there)

@coutoPL - is there any chance somebody will take a look on this? In my opinion, this is quite serious security issue violating whole security concept of RoR product

Thank you

yes, obviously. It’ll be checked and fixed. But I can’t guarantee that it will be ready this month

@coutoPL - thanks Mateusz you for info, we understand it takes some time to fix the bug.

But, are you currently able to reproduce the issue and confirm the issue is somewhere on your end?
It is important for us to have that confirmation waiting for bugfix.

Thanks

I’ll try to reproduce it. Will let you know next week.

@astrodi

  1. I noticed there is no such block in your readonlyrest.yml. Could you confirm the log is correct?
  2. the log is incomplete, but I’d be nice to see it fully.
  3. are there any WARN or ERROR logs around?

@astrodi I was able to reproduce it and fix (I think). Let’s try this one:

https://readonlyrest-data.s3.amazonaws.com/build/1.24.0-pre2/readonlyrest-1.24.0-pre2_es6.5.0.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5SJIWBO54AGBERLX/20200921/eu-west-1/s3/aws4_request&X-Amz-Date=20200921T133241Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=9c08fbe383f72e9bb1092d68e3d0805f9ab6e1c8e72ae6d3c802d878a5d6cde2

@coutoPL - that’s great, I will try to apply patch, test and let you know.
Do you still need full log and readonlyrest.yml? I didn’t have time to provide that earlier today, sorry for that

let’s test the pre build first. Maybe we won’t need them

Hi Mateusz

we have tested the build, and it looks the issue is not yet present.
Thank you for prompt reaction and quick fix

Meanwhile, we were able to find alternative way of configuration using uri_re (maybe useful for older plugin versions)

- name: "test"
      type: allow
      auth_key: test:<secret>
      uri_re: ["^/darwin.*","^/ire.*","^/.kibana.*","^/_mapping","^/_aliases","^/_template","^/_cat.*","^/_count.*", "^/_search/scroll"]
      indices: [".kibana*","darwin*"]
      actions: ["*"]

Many thanks @coutoPL, I think thread can be closed

BTW, I recommend you and all our users to keep ROR up to date. Each of our releases support all ES versions starting from 5.5.0 and we are careful according to backward compatibility maintaining, so there should be no worries to install new versions.