google-site-verification: google30a059f9a075f398.html

Thousands of Servers Running etcd Datastore Leaking Credentials Online – Mitigation’s

CyberWisdom Safe Harbor Commentary

I couldn’t believe this story from that looks to thousands of servers running etcd datastore are open to the Internet and publicly open their certificates. Etcd is a database that stores data across clusters of machines and is used by many companies in a protected environment.

According to security researchers, Giovanni Collazo shodan searched for more than 2,200 etcd installations on the Internet, opening certificates for cms_admin, mysql_root, Postgres, and so on.
Etcd binaries are available for OSX, Linux, Windows, rkt, and Docker. Before etcd 2.1, it was completely an open system and anyone who accessed the API could change the key.

Summarizing his findings, Giovanni downloaded the full Shodan report and wrote a simple script to call the etcd API and request all keys.

GET http:// <ip address>:2379 / v2 / keys /? Recursive = true
The script downloads the JSON key file from the server. Giovanni stops the script after the script reaches 750 MB of data and checks the 1,485 scripts from the IP list.

He found a bunch of keys for various databases including AWS keys and API keys. In total, the password 8781, aws_secret_access_key 650, secret_key 23, private_key 8 is extracted.
Giovanni said: “I did not test any certificates, but if I had to guess I would guess that at least a few people should work, this is a terrible part.”

If the etcd server is open to the Internet without any authentication, it allows the attacker to extract hundreds of database passwords and allow backdoors to be installed on the system.

To mitigate attacks, you can add authentication to the server that leads to the Internet, or cut it off the Internet.

Giovanni said that the implementation of remote code is mainly possible “I’m almost certain that attackers can use the same API to write them.” Attackers can mess up configuration by stealing credentials and leaking data.

Read more…

Thousand of servers running etcd is open to the internet and exposing credentials publically. Etcd is a type of database that stores data across a cluster of machines and is used by many companies in protection environments. According to the security researcher, Giovanni Collazo shodan search more than 2,200 etcd installations are open on the Internet Engaging post, Read More…

thumbnail courtesy of

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post » Thousands of Servers Running etcd Datastore Leaking Credentials Online – Mitigation’s