Zone Transfer in Cassandra

In Cassandra, "zone transfer" refers to the unintended exposure of internal cluster topology and configuration data, analogous to DNS zone transfers but targeting the database's system tables and gossip protocol. This occurs when an unauthenticated attacker can query Cassandra's system keyspaces to enumerate nodes, data centers, rack assignments, and IP addresses. The primary attack vectors are the system.local and system.peers tables, which store node metadata. If Cassandra's native transport (port 9042) is exposed without authentication, an attacker can execute CQL queries to map the cluster's infrastructure.

A specific attack pattern involves connecting to an unauthenticated Cassandra endpoint and running:

cqlsh <target-ip> 9042 -e "SELECT data_center, rack, host_id, rpc_address FROM system.peers;"

This returns a list of all peer nodes, their data centers, racks, and RPC addresses. For multi-region deployments, this reveals the geographic distribution of the cluster. Another pattern queries system.local to get the cluster name and partitioner details:

SELECT cluster_name, partitioner FROM system.local;

Cassandra's system_schema keyspace can also expose table definitions and column types, aiding in data exfiltration planning. These queries succeed if AllowAllAuthenticator is configured in cassandra.yaml or if firewall rules permit external access to port 9042 without IP whitelisting. The gossip protocol (port 7000/7001) may also leak node information if not firewalled, though it's binary and less trivially queried.

middleBrick's unauthenticated black-box scanner detects this exposure by testing the Cassandra native transport port (9042) for unauthenticated access and attempting to read system tables. The scanner's Authentication and Data Exposure checks run in parallel. It first attempts a binary protocol handshake; if successful, it sends CQL queries to read system.peers and system.local. A non-empty result set indicates a critical topology leak.

For example, a scan of an exposed Cassandra endpoint returns:

• Authentication Check: Failure — no credentials required.
• Data Exposure Check: High severity finding — "Unauthenticated access to system.peers reveals cluster topology."

The report includes the exact rows retrieved (with IPs anonymized) and a severity score impact. middleBrick also cross-references any provided OpenAPI/Swagger spec; if the API documents a Cassandra-backed service but the runtime endpoint is unauthenticated, it flags a configuration mismatch. This is unique to Cassandra because its system tables are standardized across versions, allowing reliable detection without schema knowledge.

To scan manually, use the CLI:

middlebrick scan cassandra.example.com:9042

The JSON output includes a data_exposure.severity field with details. In the web dashboard, this appears as a "Data Exposure" category score drop, with remediation guidance specific to Cassandra.

Remediation requires securing both network access and Cassandra's authentication layer. middleBrick provides guidance mapped to Cassandra's native features, not generic advice.

1. Enable Authentication: Set authenticator: PasswordAuthenticator in cassandra.yaml. Then create a dedicated monitoring user with least-privilege access to system tables if needed:

CREATE USER monitor_user WITH PASSWORD 'strong_password';
GRANT SELECT ON system.local TO monitor_user;
GRANT SELECT ON system.peers TO monitor_user;

Never use AllowAllAuthenticator in production. For LDAP/Active Directory integration, configure org.apache.cassandra.auth.LDAPAuthenticator and restrict system table access via role-based permissions.

2. Network Segmentation: Bind Cassandra's native transport to internal interfaces only. In cassandra.yaml:

rpc_address: 10.0.1.100  # Internal IP only
broadcast_rpc_address: 10.0.1.100

Use firewall rules (e.g., iptables or security groups) to restrict port 9042 to application servers and admin networks. Example iptables rule:

iptables -A INPUT -p tcp --dport 9042 -s 10.0.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 9042 -j DROP

3. Limit System Table Access: Even with authentication, restrict system table queries. Create a role that only allows SELECT on necessary tables and revoke public access:

CREATE ROLE readonly;
GRANT SELECT ON ALL KEYSPACES TO readonly;
REVOKE SELECT ON system.peers FROM PUBLIC;

4. Gossip Protocol Security: Ensure ports 7000 (non-SSL) and 7001 (SSL) are firewalled internally. Set start_native_transport: false if the native transport is not required.

After applying fixes, re-scan with middleBrick. The Authentication check should now pass, and Data Exposure should show no findings. The risk score will improve accordingly.