Thousands of servers running etcd are exposing user credentials publicly on the Internet.
According to security researcher Giovanni Collazo, a quick query made through the Shodan search engine[1] revealed a total of 2,284 etcd servers which are leaking credentials, including the passwords and keys required for cms_admin, mysql_root, and postgres server infrastructure.
In a blog post[2], Collazo said at least 750mb of leaked data is available online.
Etcd[3] is a type of database which allows for the storage of data by clustering. The open-source system is able to store the credentials required for different servers and applications, and as apps can read and write data into the management system, reconfiguration across servers and networks becomes a more streamlined process.
Before etcd version 2.1[4], the software was a completely open system and anyone with access to the API could change keys. This feature is now off by default, but lax security practices remain.
To verify his findings, Collazo wrote a simple script which called the etcd API and requested the download of all keys which were publicly available.
The script, "GET http://< ip address >:2379/v2/keys/?recursive=true," revealed that out of the 2,284 servers found on the open Internet, keys were exposed in the case of at least 1,485 of them.
However, this does not mean that all of them do not expose credentials; rather, the security researcher chose to stop once he reached the 750mb mark.
Several basic searches then revealed that "passwords for databases of all kinds, AWS secret keys, and API keys and secrets for a bunch of services," were included in the leak.
In total, 8781 passwords, 650 AWS secret keys, 23 secret