OpenSearch Dashboard Default Login Scanner

OpenSearch Dashboard is a community-driven, open-source search and analytics suite widely used for real-time data visualization and monitoring. It is typically deployed within organizations to facilitate data exploration and analysis through a visually interactive interface. Admins and developers utilize this tool to create and share dynamic dashboards for business intelligence purposes. However, when the default credentials are retained, it opens a potential security loophole. To ensure a secure deployment, it is essential for users to change the default credentials. This scanner operates to identify instances where the default credentials are in use, aiming to assist administrators in tightening security.

Default Login Detection in OpenSearch Dashboard identifies occurrences where the default 'admin:admin' credentials have not been altered. This vulnerability can greatly increase the risk of unauthorized access, providing attackers with an entry point to exploit the system's capabilities. While convenient during initial setup or testing phases, retaining default credentials in production environments constitutes poor security practice. By identifying these instances, the scanner highlights potential weaknesses in the security configuration. It enables quick remediation before any breach can occur. Overall, this provides a safeguard against unauthorized data access.

Detection Details focus on sending a POST request to the '/auth/login' endpoint of OpenSearch Dashboard while supplying default credentials. The scanner checks the server's response to determine if the login was successful. Key indicators of valid login in responses include the status code 200 and specific JSON elements like 'username' and 'roles'. Additionally, the content type being 'application/json' confirms a valid API response. This combined evaluation enables the scanner to accurately assert the presence of default credentials. Any identified cases signify an immediate need for credential overhaul.

Possible Effects of this vulnerability if exploited include unauthorized data access where attackers can query, analyze, and manipulate data within the OpenSearch Dashboard. Given its broad analytical capabilities, this could lead to data theft, alteration, or even complete data control being handed to unauthorized actors. Attackers gaining access might also cause data leaks or corruption affecting business decisions reliant on accurate data. Besides data threats, other risks entail changes to dashboard settings, loading of malicious data, or utilization for broader network access pivoting. In the worst-case scenario, attackers could leverage these weaknesses to establish a persistent presence in the network.

REFERENCES

• https://opensearch.org/docs/latest/security/access-control/users-roles/
• https://github.com/opensearch-project/OpenSearch-Dashboards