Monday, October 16, 2017

Security Advisory for Security Onion Elastic Alpha

This security advisory only applies to Security Onion Elastic Alpha.  If you're running the stable version of Security Onion (ELSA instead of Elastic), this does not apply to you.  Since this advisory only applies to Security Onion Elastic Alpha, please be reminded of the usual warnings and disclaimers:

  • If this breaks your system, you get to keep both pieces!
  • This is a work in progress and is in constant flux.
  • This is intended to build a quick prototype proof of concept so you can see what our ultimate Elastic configuration might look like. This configuration will change drastically over time leading up to the final release.
  • Do NOT run this on a system that you care about!
  • Do NOT run this on a system that has data that you care about!
  • This should only be run on a TEST box with TEST data!
  • Experimental Setup may result in nausea, vomiting, or a burning sensation.

Security Onion Elastic Alpha runs the Elastic stack (Elasticsearch, Logstash, and Kibana).  UFW, the host-based firewall, is configured to only allow connections to port 22 by default.  Apache is configured as a proxy to authenticate users before accessing Kibana.  Therefore, the original intention of the design was that a user would run Setup and then run so-allow to allow their workstation IP to connect over the network to port 443 where Apache was proxying Kibana and requiring authentication.  However, due to incorrect Docker parameters, Kibana and Elasticsearch ports were being published directly to the network allowing users to bypass both the UFW firewall and the Apache proxy and access Kibana and Elasticsearch directly with no authentication.  This has been corrected in the lastest securityonion-elastic package (securityonion-elastic - 20171011-1ubuntu1securityonion1).

If you're running the stable version of Security Onion (ELSA instead of Elastic), there is nothing to do.

If you're running Security Onion Elastic Alpha and you've already run Setup, please run the following:
sudo soup
sudo so-elastic-restart
If you haven't yet run Setup and are planning to choose the Experimental option to enable the Elastic stack, just make sure that you run "sudo soup" before running Setup.

Previously, our so-elastic-start script would start containers using a --publish parameter like this (in the case of Kibana):
--publish 5601:5601

If you were to then examine the host-based firewall configuration, you would see that only port 22 is open by default:

However, if you were to port scan the box remotely, you would see more than port 22 open:

Now let's install the new securityonion-elastic package (securityonion-elastic - 20171011-1ubuntu1securityonion1):
sudo soup

This new package starts containers using a --publish parameter that only publishes to localhost like this (in the case of Kibana):

securityonion-elastic - 20171011-1ubuntu1securityonion1 makes the following changes:

  • so-kibana publishes port 5601 to only
  • so-elasticsearch publishes ports 9200 and 9300 to only
  • so-logstash publishes ports 6050, 6051, 6052, and 6053 to only
  • so-freqserver no longer publishes port 10004
  • so-domainstats no longer publishes port 20000

Now we need to restart the Docker containers:
sudo so-elastic-restart

Finally, we re-run the remote port scan to verify that only port 22 is open:

More Information
For more information, please see:

Special thanks to Todd Carlson for responsibly disclosing this security issue per our Security page:

All times below are in Eastern time.
10/10/2017 10:02 PM - Received initial notification from Todd Carlson.
10/11/2017 8:35 AM - Confirmed receipt of email, confirmed issue, and committed initial fix.
10/11/2017 9:52 AM - Built new securityonion-elastic package and asked Todd to test and confirm.
10/12/2017 8:18 PM - Received confirmation from Todd that the new package resolved the issue.
10/16/2017 7:20 AM - Pushed new securityonion-elastic package to stable repo.

No comments:

Search This Blog

Featured Post

Quick Malware Analysis: WORD MACRO --> SSLOAD --> COBALT STRIKE pcap from 2024-04-18

Thanks to Brad Duncan for sharing this pcap from 2024-04-18 on his malware traffic analysis site! Due to issues with Google flagging a warni...

Popular Posts

Blog Archive