The security footgun in etcd

Profile image of Mattias Geniar

Mattias Geniar, March 19, 2018

Follow me on Twitter as @mattiasgeniar

Etcd is yet another highly critical piece of infrastructure that had authentication disabled by default.

I guess I’ll add this one to the list of unauthenticated, unfirewalled protocols.

“etcd before 2.1 was a completely open system; anyone with access to the API could change keys. In order to preserve backward compatibility and upgradability, this feature is off by default.”


Yes. The same thing, etcd has an authentication mechanism which is disabled by default and it also has a very nice RESTful API as it’s main interface, what could go wrong right. People are smart and they will keep their etcd services from leaking to the open internet.


Source: The security footgun in etcd – elweb