Kibana Vulnerabilities Let Attackers Execute Arbitrary Code


Elastic has disclosed two critical vulnerabilities affecting Kibana, the popular data visualization and exploration tool used with Elasticsearch.

These vulnerabilities, CVE-2024-37288 and CVE-2024-37285, allow attackers to execute arbitrary code through YAML deserialization issues.

EHA

The flaws have been assigned high severity scores, underscoring the urgency for affected users to take immediate action.

CVE-2024-37288: Exploitation via Amazon Bedrock Connector

The first vulnerability, CVE-2024-37288, specifically impacts Kibana version 8.15.0. It arises from a deserialization flaw in the Amazon Bedrock Connector, one of Elastic Security’s built-in AI tools.

When Kibana attempts to parse a YAML document containing a crafted payload, it can lead to arbitrary code execution.

Affected Users

This vulnerability is particularly concerning for users configuring the Amazon Bedrock connector. The flaw does not affect all Kibana users, but those utilizing this specific integration are at significant risk.

The potential for arbitrary code execution means attackers could gain control over the affected system, leading to data breaches, system compromise, or other malicious activities.

Mitigation Strategies

Elastic has released Kibana version 8.15.1 to address this vulnerability. Users are strongly advised to upgrade to this version to mitigate the risk.

For those unable to upgrade immediately, a temporary workaround involves disabling the integration assistant by adding the following line to the kibana.yml configuration file:

xpack.integration_assistant.enabled: false

This measure can help reduce the risk until a full upgrade can be performed. However, it is crucial to prioritize upgrading to the latest version to ensure comprehensive protection.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

CVE-2024-37285: Privilege-Dependent Exploitation

The second vulnerability, CVE-2024-37285, affects a broader range of Kibana versions, from 8.10.0 to 8.15.0. Similar to the first issue, this vulnerability also involves YAML deserialization, but it requires a more specific set of conditions for exploitation.

Exploitation Requirements

To successfully exploit CVE-2024-37285, an attacker must possess a combination of specific Elasticsearch indices privileges and Kibana privileges. The required Elasticsearch indices permissions include:

  • Write privilege on the system indices .kibana_ingest*
  • The allow_restricted_indices flag is set to true

Additionally, attackers need any of the following Kibana privileges:

  • Under Fleet, the “All” privilege
  • Under Integration, the “Read” or “All” privilege
  • Access to the fleet-setup privilege via the Fleet Server’s service account token

These prerequisites mean that only users with specific configurations and privilege levels are vulnerable, but the potential impact remains severe.

Recommended Actions

As with the first vulnerability, upgrading to Kibana version 8.15.1 is recommended. This update addresses the deserialization issue and enhances overall security.

Given the complexity of the required privileges for exploitation, organizations should also review and tighten their privilege configurations to minimize exposure.

Severity and Impact

Both vulnerabilities have been rated as critical, reflecting their potential to cause significant harm. CVE-2024-37288 has a CVSS v3.1 score of 9.9, while CVE-2024-37285 is rated at 9.1.

These scores indicate a high likelihood of exploitation and severe consequences, including impacts on confidentiality, integrity, and availability. Organizations using affected versions of Kibana should act swiftly to implement the recommended updates and mitigations.

The potential for arbitrary code execution means that attackers could execute malicious code, leading to unauthorized access, data theft, or disruption of services.

The disclosure of these critical vulnerabilities in Kibana highlights the importance of maintaining up-to-date software and regularly reviewing security configurations.

While Elastic has provided solutions and mitigations, users ultimately have the responsibility to ensure their systems are protected. In an era of increasingly sophisticated cyber threats, staying informed about vulnerabilities and promptly applying patches is crucial.

Organizations should also consider implementing additional security measures, such as network segmentation and intrusion detection systems, to safeguard their environments further.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!



Source link