API Security Weekly: Issue #9

Vulnerabilities

If you are using Kubernetes, you should install a patch for it as soon as possible. There was a huge privilege escalation vulnerability that got fixed this week. The flaw allows attackers to contact Kubernetes API server using a non-privileged account and then get high-privilege operations forwarded to backend services. Even worse, the calls are not showing up in server audit logs or server logs, making the attack hard to detect.

Abraham Ingersoll from Gravitational published details here:

1. Attacker contacts Kubernetes API server and requests a connection to a backend server over HTTP/2 websockets.
2. API server forwards the request to the backend server.
3. The request is made in a way that it automatically fails.
4. An error is returned to the attacker, but API server leaves open a connection to the backend that is authenticated with high-privilege TLS certificate of the API server itself,
5. The attacker uses the open, authenticated connection to send requests to invoke high-privilege operations. The backend server has no reason to suspect anything out of ordinary but completes the request.

One of the popular security camera systems, NUUO NVRmini2 Network Video Recorder, had a serious API vulnerability reported by Digital Defense. Because string parameters were not checked for their length or sanitized, attackers could craft an overly long GET request, cause stack overflow and execute arbitrary code as root. This way, the attacker can intercept and even replace the video stream from the security cameras.

If you’re using ElasticSearch, you may expose more APIs than you are aware of. Lots of companies have lately had ElasticSearch breaches and their customer records exposed:

• SKY Brasil (32 mln customer records)
• Atrium Health (2.65 mln)
• Urban Massage (300K)
• Brazil’s Federation of Industries of the State of São Paulo — FIESP (millions)
• Data & Leads (83 mln)

The breaches happen because, by default, ElasticSearch is wide open and not secured at all. So, to avoid the breaches:

1. Avoid having your ElasticSearch accessible from the internet at all if you can.
2. Enable (or install for older versions) the X-Pack security module and set secure passwords for all default accounts.

Best Practices

Are you implementing your APIs in Node.js? If so, check out this brilliant list of 23 security best practices.

Kristopher Sandoval from NordicAPIs goes through the possible ways how APIs get hacked and how these could be remediated. His list of attacks includes, for example:

• Reverse engineering
• Spoofing
• Man-in-the-middle
• Session replays
• Social engineering

Tsahi Levent-Levi has posted in TechTarget his 4 steps to securing your APIs. The checklist is, in a nutshell:

1. Authorization
2. Audit trail
3. Data at rest and data in motion
4. Rate limiting

Standards

The free “HTTP/3 explained” ebook from Daniel Stenberg contains some good information on the upcoming HTTP/3 protocol. In this protocol, the encrypted traffic will be based on the QUIC protocol.

Surveys

According to a recent survey by Ping Identity, security and IT professionals seem to have doubts whether the security teams of their companies are up to speed with API security:

• 45% lack confidence in their security team to detect malicious API access
• 51% are not confident their security team is aware of all APIs existing in their organization.

You can subscribe to this newsletter at https://APISecurity.io.