Together, towards a better future

Kibana Instances Exposing Elasticsearch Databases

2 min read
Kibana Instances Exposing Elasticsearch Databases

More than half of the known cases of massive data breaches over the past year originated from unsecured database servers that were accessible to anyone without any password.

Since the database of an organization contains its most valuable and easily exploitable data, cybercriminals have also started paying closer attention to find other insecure entry points.

Kibana is an open-source analytics and visualization platform designed to work with Elasticsearch. The platform makes it easy for data analysts to quickly and easily understand complex big data streams and logs through graphic representation.

Kibana comes as a browser-based interface that has been designed to fetch data from Elasticsearch databases in real time and then perform advanced data analysis to present it in a variety of charts, tables, and maps.

Upon installation, the default settings configure Kibana to run on localhost at port 5601, but some administrators may choose to change this setting to make it remotely accessible anywhere from the Internet.

26,000 Kibana Instances Exposed

According to a new report shared by an IT professional who wants to remain anonymous and tweets from @InfoSecIta, there are more than 26,000 Kibana instances that are currently exposed on the Internet, and unfortunately, most of them are reportedly unprotected.

Kibana does not come with any security baked into it, like session management, though administrators can still manually configure it to use third-party plugins, like Search Guard, to enable authentication.

“Even if your server is super secured and well configured, and your Elasticsearch is bound to or localhost, or whatever kind of loopback address, an unprotected Kibana app running on top of the elasticsearch stack can compromise your server operativity and allow unauthenticated users to access Kibana dashboard (with admin privileges), thus gifting a strong foothold in further privilege escalation attacks to malicious entities,” InfoSecIta explains.

It should also be noted that Kibana instances are not by default configured to access anything available in the Elasticsearch databases; instead, admins configure what data users can access through Kibana dashboard.

According to shodan, with a maximum number of open Kibana instances United States (8,311) is top in the list of affected countries, followed by China (7,282), Germany (1,709) and then France with 1,152 open instances.

The report also reveals that a maximum number of exposed Kibana instances are hosted on cloud services from Amazon, Alibaba, Microsoft Azure, and Google Cloud.

What’s worrisome? Out of these 26,000+ Kibana instances, a large number of servers are running outdated versions of the software that contains an arbitrary file inclusion vulnerability in its Console plugin.

The flaw allegedly allows remote attackers to execute malicious javascript code, which could potentially let attackers run arbitrary commands on the host system.

Get all the latest posts delivered straight to your inbox!
🎉 You've successfully subscribed to Hack Hex!