cbcvebase.
CVE-2014-3120
published 2014-07-28

CVE-2014-3120: The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java…

PriorityP189high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
88.56%
99.8th percentile
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.

Affected

1 ranges
VendorProductVersion rangeFixed in
elasticelasticsearch< 1.2.01.2.0

Detection & IOCsextracted from sources · hover to see the quote

ip45.76.122.92
ip207.148.70.143
ip216.176.179.106
ip104.203.170.1
ip101.200.48.68
ip117.205.7.194
ip107.182.183.206
ip124.43.19.159
ip139.99.131.57
ip179.50.196.228
ip185.165.116.144
ip189.201.192.242
ip191.189.30.112
ip192.210.198.50
ip195.201.169.194
ip216.15.146.34
ip43.240.65.121
ip45.76.136.196
ip45.76.178.34
ip52.8.60.118
ip54.70.161.251
ip139.159.218.82
ip202.109.143.110
ip125.231.139.75
ip36.235.171.244
hashbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415
hashe2f1be608c2cece021e68056f2897d88ed855bafd457e07e62533db6dfdc00dc
hash191f1126f42b1b94ec248a7bbb60b354f2066b45287cd1bdb23bd39da7002a8c
hash2bcc9fff40053ab356ddde6de55077f8bf83d8dfa6d129c250f521eb170dc123
hash9a181c6a1748a9cfb46751a2cd2b27e3e742914873de40402b5d40f334d5448c
hash5fe3b0ba0680498dbf52fb8f0ffc316f3a4d7e8202b3ec710b2ae63e70c83b90
hash7b08a8dae39049aecedd9679301805583a77a4271fddbafa105fa3b1b507baa3
urlhttp://45.76.122.92:8506/IOFoqIgyC0zmf2UR/uuu.sh
path/tmp/sssooo
filenameLinuxT
commandecho 'qq952135763'
snort
33830
snort
36256
snort
44690
  • Exploit payloads use java.lang.Runtime.exec() via script_fields to invoke wget and download shell scripts to /tmp, detectable by inspecting POST bodies to /_search for Runtime.exec patterns.
  • Malware payloads delivered via CVE-2014-3120 include variants of the Bill Gates DDoS malware and Spike trojan variants (x86, MIPS, ARM); ClamAV detects hosted files as Spike trojan variants.
  • Attackers use 'whoami' and 'id' commands via the exploit for server fingerprinting; monitor Elasticsearch logs for these OS command strings in script execution contexts.
  • Persistence is achieved by installing shell scripts as cron jobs; monitor crontab modifications on systems running Elasticsearch.
  • Attacker RSA key is placed in authorized_keys file; monitor for unauthorized modifications to ~/.ssh/authorized_keys on Elasticsearch hosts.
  • Delivered ELF payloads are UPX-packed; scan for UPX-packed ELF binaries dropped in /tmp or other world-writable directories on Elasticsearch hosts.
  • Use Snort rules 33830, 36256, and 44690 to detect CVE-2014-3120 exploitation attempts in network traffic.
  • ·CVE-2014-3120 only affects Elasticsearch versions prior to 1.2, where dynamic scripting is enabled by default. Systems running Elasticsearch 1.2+ or with scripting disabled are not vulnerable.
  • ·The vulnerability only violates the vendor's intended security policy if Elasticsearch is not run in its own independent virtual machine.
  • ·Active exploitation observed only against Elasticsearch versions 1.4.2 and lower; clusters running modern versions are unaffected.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
cisa8.1HIGH
vendor_redhat8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.