Thousands of servers running etcd are exposing user credentials publicly on the Internet.
According to security researcher Giovanni Collazo, a quick query made through the Shodan search engine revealed a total of 2,284 etcd servers which are leaking credentials, including the passwords and keys required for cms_admin, mysql_root, and postgres server infrastructure.
In a blog post, Collazo said at least 750mb of leaked data is available online.
Etcd is a type of database which allows for the storage of data by clustering. The open-source system is able to store the credentials required for different servers and applications, and as apps can read and write data into the management system, reconfiguration across servers and networks becomes a more streamlined process.
Before etcd version 2.1, the software was a completely open system and anyone with access to the API could change keys. This feature is now off by default, but lax security practices remain.
To verify his findings, Collazo wrote a simple script which called the etcd API and requested the download of all keys which were publicly available.
The script, "GET http://< ip address >:2379/v2/keys/?recursive=true," revealed that out of the 2,284 servers found on the open Internet, keys were exposed in the case of at least 1,485 of them.
However, this does not mean that all of them do not expose credentials; rather, the security researcher chose to stop once he reached the 750mb mark.
Several basic searches then revealed that "passwords for databases of all kinds, AWS secret keys, and API keys and secrets for a bunch of services," were included in the leak.
In total, 8781 passwords, 650 AWS secret keys, 23 secret keys for other services, and 8 private keys were available to download.
"I did not test any of the credentials but if I had to guess I would guess that at least a few of them should work and this is the scary part," the researcher says. "Anyone with just a few minutes to spare could end up with a list of hundreds of database credentials which can be used to steal data, or perform ransomware attacks."
Collazo has also suggested it may be possible for threat actors to write to the servers using the API due to the open access.
"An attacker might use it to change the data in etcd and mess with configuration and even maybe authentication or it could be used to store exfiltrated data from other attacks," the researcher added.
Researcher Troy Mursch told Ars Technica that the findings are valid, and after conducting his own tests, also discovered poor security practices such as the use of "1234" as passwords stored through etcd.
Collazo recommends that database administrators should not allow etcd builds to be openly accessible through the web and to consider changing default behaviors to stop strangers from reading and writing to etcd servers.