Cluster-f*ck! Etcd DBs spaff passwords, cloud keys to world by default
Devs told to take responsibility by setting up authentication
Software called etcd, used for storing data across clusters of containers, has a problem – it does not implement authentication by default and so poses a security risk if deployed without further fiddling.
It's also rather widely used because it comes with Kubernetes, the popular container orchestration software.
Giovanni Collazo, a software developer, raised the issue in a blog post on Friday. He recounts how he conducted a search for etcd instances using the Shodan vulnerability search engine and identified almost 2,300 etcd servers.
He then wrote a script to query the etcd API and requested all account login keys. He got back over 8,700 passwords, along with several hundred AWS secret keys and other API keys.
"I did not test any of the credentials but if I had to guess I would guess that at least a few of them should work and this is the scary part," said Collazo. "Anyone with just a few minutes to spare could end up with a list of hundreds of database credentials which can be used to steal data, or perform a ransomware attacks."
Troy Mursch, a security researcher with Bad Packets Report, said in an email to The Register, said, "I've independently verified [this issue] and confirmed it's a serious concern for anyone running etcd open to the internet."
This particular issue has surfaced before in the context of MongoDB, a NoSQL database that allows developers to install the software without requiring authentication. Developers did just that and in January last year learned to regret doing so.
MondoDB changed the behavior of its software late last year.
"MongoDB moved to a secure-by-default network binding in the server itself last November, with the release of version 3.6, which starts with only local authentication," a company spokesperson told The Register in an email.
How to secure MongoDB – because it isn't by default and thousands of DBs are being hackedREAD MORE
"While the server advises users to set up authentication before reconfiguring the server to connect to a network, updates in the latest version mean defaults now prevent unintentionally open configurations."
In an email to The Register, Brandon Philips, CTO of CoreOS at Red Hat, and one of the main contributors to etcd, suggested those deploying the distributed data store take responsibility for secure deployment.
"In this situation, it seems as if people may not be using etcd's security capabilities and leaving the ports open, which can be a problem with every database," Philips said. "Security requires proper configuration. The etcd community provides multiple guides on proper security setup, and I recommend that products and projects using etcd should deploy a secure configuration."
Collazo argues the etcd team should do more to save developers from shooting themselves in the foot.
"I really hope that the etcd team would reconsider their position and make a breaking change soon to enable authentication by default," he said. "As we learned from the MongoDB experience this is a huge footgun that can be easily removed [from] otherwise awesome software." ®