Added ELK cloud-azure plugin

ElasticSearch.Azure.plugin.txt

@@ -0,0 +1,101 @@
+          ===============================
+                   - Advisory -
+          ===============================
+
+  Tittle:   ElasticSearch cloud-azure plugin - Indexes content transmitted in cleartext
+    Risk:   Medium/Low
+    Date:   16.Sept.2015
+  Author:   Pedro Andujar
+ Twitter:   @pandujar
+
+
+.: [ INTRO ] :.
+
+Elasticsearch is a search server based on Lucene. It provides a distributed, multitenant-capable full-text 
+search engine with a RESTful web interface and schema-free JSON documents. Elasticsearch is developed in 
+Java and is released as open source under the terms of the Apache License.
+
+ElasticSearch comes with Snapshot and Restore capabilities to use as backup. Cloud-azure plugin enables ELK 
+to store the indexes snapshots into Azure blobs. Affected versions: ElasticSearch 1.7.2 and prior. 
+
+
+.: [ TECHNICAL DESCRIPTION ] :.
+
+Azure recommendation:
+"The Microsoft Azure storage services support both HTTP and HTTPS; however, using HTTPS is highly recommended."
+
+Insecure Client Implementation:
+The connection string for ELK cloud-azure plugin contains hardcoded http url with the lack of encryption and 
+certificate validation, therefore its prone to sniffing and MiTM attacks. A potential attacker with the required
+access to the network traffic would be able to intercept the content of the indexes snapshots.
+
+It's a good thing that Azure uses SharedKey authentication, so the account key is not sent directly through
+http traffic, instead it sends hmac-sha256 signature of the http headers (using the account key) for each
+request. 
+
+Affected Src:
+elasticsearch/plugins/cloud-azure/src/main/java/org/elasticsearch/cloud/azure/storage/AzureStorageServiceImpl.java
+
+    @Inject
+    public AzureStorageServiceImpl(Settings settings) {
+        super(settings);
+        // We try to load storage API settings from `cloud.azure.`
+        account = settings.get(ACCOUNT);
+        key = settings.get(KEY);
+        blob = "http://" + account + ".blob.core.windows.net/";
+
+        try {
+            if (account != null) {
+                logger.trace("creating new Azure storage client using account [{}], key [{}], blob [{}]", account, key, blob);
+
+                String storageConnectionString =
+                        "DefaultEndpointsProtocol=http;"
+                                + "AccountName="+ account +";"
+                                + "AccountKey=" + key;
+
+                // Retrieve storage account from connection-string.
+                CloudStorageAccount storageAccount = CloudStorageAccount.parse(storageConnectionString);
+
+
+
+
+.: [ CHANGELOG ] :.
+
+  * 10/Sept/2015:   - Security at Elastic contacted.
+  * 10/Sept/2015:   - Security at Elastic ack.
+  * 12/Sept/2015:   - Elastic replies confirming they plan to fix. But is under their risk threshold 
+		      to be considered a vulnerability. 
+  * 15/Sept/2015:   - Quick workarround: https://github.com/elastic/elasticsearch/pull/13573
+  * 16/Sept/2015:   - Authorized to disclose.
+
+
+.: [ SOLUTIONS ] :.
+
+Apply the following quickfix:
+https://github.com/elastic/elasticsearch/pull/13573
+
+Consider changing your account name and key. 
+Evaluate possible indirect impact due to stored information.
+
+
+.: [ REFERENCES ] :.
+
+   [+] CWE-319: Cleartext Transmission of Sensitive Information
+    https://cwe.mitre.org/data/definitions/319.html
+
+   [+] OWASP 2010-A9-Insufficient Transport Layer Protection
+    https://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection
+
+   [+] ELK Security
+    https://www.elastic.co/community/security
+
+   [+] Azure SharedKey Auth
+    https://msdn.microsoft.com/en-us/library/azure/dd179428.aspx
+
+   [+] !dSR - Digital Security Research
+    http://www.digitalsec.net/
+
+
+
+
+                    -=EOF=-