This Cybersecurity Threat Advisory highlights a critical vulnerability discovered within a popular logging and metric solution called Fluent Bit. CVE-2024-4323, a new memory corruption vulnerability, has the potential to cause denial of service (DOS), information leakage, and code execution (RCE). Continue to read this advisory for recommendations to mitigate your risks.
What is the threat?
Fluent Bit is a cloud-logging utility. The threat resides in Fluent Bit HTTP server where it allows free access to various metric and logging endpoints internal to the service, potentially leading to cross-tenant information leakage.
Two endpoints, /api/v1/traces and /api/v1/trace, allow end-users with access to the Monitoring API to enable, disable, and retrieve information about the traces. Attackers can leverage these endpoints to cause a DOS by passing non-string values to the input.
These behaviors affect Fluent Bit versions 2.0.7 through 3.0.3.
Why is it noteworthy?
Fluent Bit is used in a multitude of organizations and it is critical to logging. If an endpoint has improper or exposed network access it could result in a degradation of the service, leakage of information, or even remote code execution.
On top of potentially causing DOS, researchers were able to retrieve chunks of adjacent memory via the returned HTTP responses. Most of the information is related to previous metrics requests. However, occasional exposure of a partial secret occurred, which could lead to the leakage of sensitive information.
Additionally, there is a possibility of remote code execution that is dependent on many factors such as host architecture and operating system due to the heap buffer overflow. However, researchers say it is not only difficult but incredibly time-intensive.
What are the recommendations?
Barracuda MSP recommends the following actions to keep your environment secure:
- Upgrade to version 3.0.4 or newer as the vulnerability is fixed.
- Review and limit access to Fluent Bit’s Monitoring API for those who are still on version 3.0.3 and below. Ensure only authenticated users and applications have access to the API.
- Disable the API if it is not in use to reduce potential attacks.
References:
- https://www.bleepingcomputer.com/news/security/critical-fluent-bit-flaw-impacts-all-major-cloud-providers/
- https://www.infosecurity-magazine.com/news/critical-fluent-bit-bug-all-cloud/
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.