Critical Kibana Flaws (CVE-2024-37288, CVE-2024-37285) Expose Systems to Arbitrary Code Execution

CVE-2024-37288 and CVE-2024-37285

Elastic, the company behind the popular open-source data visualization and analytics platform Kibana, has issued a critical security advisory urging users to update immediately to version 8.15.1. Two severe vulnerabilities, tracked as CVE-2024-37288 and CVE-2024-37285, could allow attackers to execute arbitrary code on affected systems, potentially leading to complete system compromise.

  • CVE-2024-37288: YAML Deserialization Flaw in Amazon Bedrock Connector

The first vulnerability, rated with a CVSS score of 9.9 (critical), stems from a deserialization issue in Kibana’s Amazon Bedrock Connector. Attackers can exploit this flaw by crafting malicious YAML payloads, leading to remote code execution. Users who have configured an Amazon Bedrock connector within Elastic Security’s built-in AI tools are particularly vulnerable.

  • CVE-2024-37285: Widespread YAML Deserialization Vulnerability

The second vulnerability, also related to YAML deserialization, affects a broader range of Kibana users. With a CVSS score of 9.1 (critical), it allows attackers to execute arbitrary code if they possess specific Elasticsearch indices privileges and Kibana privileges. To successfully exploit this vulnerability, a malicious actor must have a combination of specific Elasticsearch indices privileges and Kibana privileges.

The attacker needs write access to the system indices (.kibana_ingest)* and the ability to manage restricted indices. They must also have certain Kibana privileges under Fleet (All) and Integration (Read or All), and gain access to the fleet-setup privilege via the Fleet Server’s service account token.

Given the complexity of the attack, it requires both access control misconfigurations and insider threats to succeed.

To address both vulnerabilities, Elastic advises the following actions:

  • Upgrade to Kibana version 8.15.1: This is the most effective solution and patches both CVE-2024-37288 and CVE-2024-37285.
  • Temporary Mitigation for CVE-2024-37288: Users unable to upgrade immediately can mitigate the risk by disabling the integration assistant:
    xpack.integration_assistant.enabled: false

Related Posts: