Skip to content

Latest commit

 

History

History
74 lines (61 loc) · 7.23 KB

attack-surface.md

File metadata and controls

74 lines (61 loc) · 7.23 KB

Attack Surface Analysis for apache/cassandra

Attack Surface: Unauthenticated CQL Native Protocol Access

  • Description: Cassandra's CQL native protocol (port 9042) allows clients to interact with the database. If authentication is disabled, anyone can connect without credentials.
  • Cassandra Contribution: Cassandra's default configuration might have authentication disabled, especially in development environments, which can be mistakenly carried over to production.
  • Example: An attacker scans open ports, finds port 9042 open, connects without credentials, and dumps all data from Cassandra.
  • Impact: Data breach, data manipulation, denial of service, complete compromise of data integrity and confidentiality.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Enable Authentication: Always enable Cassandra authentication and authorization. Configure a robust mechanism (e.g., internal password authentication, LDAP, Kerberos).
    • Strong Credentials: Set strong, unique passwords for all Cassandra users, especially the administrator account.
    • Network Segmentation: Restrict access to port 9042 to only authorized clients and networks using firewalls.

Attack Surface: Unauthenticated JMX Access

  • Description: JMX (Java Management Extensions) provides a management interface for Cassandra. If JMX authentication is disabled or uses default credentials, attackers can gain administrative control.
  • Cassandra Contribution: Cassandra exposes JMX for monitoring and management. Default configurations might have JMX authentication disabled or use weak default credentials.
  • Example: An attacker accesses the JMX port (7199) without authentication and uses JMX tools to execute arbitrary code on the Cassandra server, taking complete control.
  • Impact: Remote code execution, complete server compromise, data breach, denial of service, cluster instability.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Enable JMX Authentication and Authorization: Always enable JMX authentication and authorization. Configure strong credentials for JMX users.
    • Restrict JMX Access: Limit network access to the JMX port (7199) to only authorized management systems and administrators using firewalls.
    • Change Default JMX Credentials: If default JMX credentials are used, change them immediately to strong, unique passwords.
    • Disable Remote JMX (If Possible): If remote JMX access is not required, disable it entirely.

Attack Surface: Gossip Protocol Exploitation

  • Description: Cassandra's gossip protocol (port 7000/7001) is used for inter-node communication. Exploitation can involve spoofing gossip messages or eavesdropping on unencrypted traffic.
  • Cassandra Contribution: Cassandra relies on gossip for cluster management. By default, gossip communication is unencrypted and might be vulnerable on compromised networks.
  • Example: An attacker on the same network segment injects malicious gossip messages, causing nodes to become isolated or corrupting cluster metadata, leading to denial of service.
  • Impact: Cluster instability, data corruption, denial of service, information disclosure (cluster metadata).
  • Risk Severity: High
  • Mitigation Strategies:
    • Enable Gossip Encryption: Configure Cassandra to encrypt gossip communication using SSL/TLS to protect inter-node traffic.
    • Network Segmentation and Isolation: Isolate the Cassandra cluster network segment to limit attacker access to gossip ports.
    • Network Intrusion Detection/Prevention Systems (IDS/IPS): Implement network-based IDS/IPS to detect and potentially block malicious gossip traffic.

Attack Surface: Default Credentials

  • Description: Using default credentials for Cassandra administrative users (e.g., cassandra/cassandra) allows immediate unauthorized access.
  • Cassandra Contribution: Cassandra, like many systems, has default administrative credentials set during initial installation, which must be changed.
  • Example: An attacker attempts to log in to Cassandra using default credentials and gains administrative access, allowing them to manipulate data or shut down the cluster.
  • Impact: Complete administrative access, data breach, data manipulation, denial of service, full system compromise.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Change Default Credentials Immediately: Change all default Cassandra credentials (administrator and any other default users) during initial setup.
    • Password Management Policies: Enforce strong password policies for all Cassandra users, including complexity requirements.

Attack Surface: Unsecured Backups

  • Description: If Cassandra backups are not properly secured, they can become a target for attackers, leading to data breaches.
  • Cassandra Contribution: Cassandra's backup mechanisms create copies of data that, if not protected, expose the data outside of active database security controls.
  • Example: Backups are stored in an unencrypted cloud storage bucket with weak access controls. An attacker gains access and downloads sensitive Cassandra data.
  • Impact: Data breach, exposure of sensitive information, compliance violations.
  • Risk Severity: High
  • Mitigation Strategies:
    • Encrypt Backups: Encrypt Cassandra backups at rest using strong encryption algorithms.
    • Secure Backup Storage: Store backups in secure locations with strong access controls, limiting access to authorized personnel and systems.
    • Regular Backup Security Audits: Periodically review backup storage security configurations and access controls.

Attack Surface: Exposed Management Interfaces (JMX)

  • Description: Exposing management interfaces like JMX to untrusted networks without proper authentication and authorization allows attackers to manage and potentially compromise Cassandra.
  • Cassandra Contribution: Cassandra provides JMX for administrative tasks. If JMX is accessible remotely without security, it becomes an attack vector.
  • Example: JMX is accessible remotely without authentication. An attacker uses JMX to execute arbitrary code on the Cassandra server.
  • Impact: Denial of service, data corruption, cluster instability, remote code execution.
  • Risk Severity: High
  • Mitigation Strategies:
    • Restrict Access to Management Interfaces: Limit network access to the JMX port to only authorized administrators and management systems from trusted networks. Use firewalls and network segmentation.
    • Enable Authentication and Authorization for JMX: Enable and enforce strong authentication and authorization for JMX.
    • Consider Dedicated Management Network: For highly sensitive environments, consider using a dedicated, isolated management network for accessing Cassandra management interfaces.