Critical Kibana Vulnerability - Arbitrary Code Execution via YAML Deserialization
Date: September 5, 2024
CVE: CVE-2024-37285
Vulnerability Type: Deserialization of Untrusted Data
CWE: [[CWE-502]]
Sources: Elastic Security Advisory
Synopsis
CVE-2024-37285 impacts Kibana versions 8.10.0 to 8.15.0, where a deserialization flaw allows remote code execution if an attacker injects malicious YAML payloads. This vulnerability requires that an attacker has elevated Elasticsearch and Kibana privileges.
Issue Summary
The vulnerability arises from improper YAML deserialization within Kibana. A malicious actor can craft a YAML payload and execute arbitrary code, provided they have specific Elasticsearch index and Kibana privileges. This issue affects Kibana from versions 8.10.0 through 8.15.0 and is critical due to its ease of exploitation and the potential for widespread impact.
Technical Key Findings
Attackers exploit this flaw by submitting a specially crafted YAML document that Kibana deserializes without proper validation. Once the malicious code is parsed, it can run on the server with elevated privileges, enabling arbitrary code execution.
The attacker must have the following Elasticsearch indices permissions;
write
access to system indices .kibana_ingest*
- The
allow_restricted_indices
flag needs to be set to true
The attacker must also have ANY of the following Kibana privileges;
- Under
Fleet
the All
privilege is granted - Under
Integration
the Read
or All
privilege is granted - Access to the
fleet-setup
privilege is gained through the Fleet Server’s service account token## Vulnerable Products - Kibana versions 8.10.0 to 8.15.0.
Impact Assessment
Successful exploitation could allow an attacker to execute arbitrary commands, leading to a complete system compromise. This could affect confidentiality, integrity, and availability, making it a high-risk issue for organizations relying on Kibana for data visualization and exploration.
Patches or Workaround
Upgrading to Kibana version 8.15.1 resolves this vulnerability. Additionally, limiting access to Elasticsearch indices and restricting Kibana privileges reduces exposure.
Tags
#CVE-2024-37285 #Kibana #ArbitraryCodeExecution #YAML #Deserialization #ElasticStack #CyberSecurity