High-Severity Flaw in Kibana: Unauthorized Access Possible in Synthetic Monitoring!

Elastic has disclosed a high-severity vulnerability (CVE-2024-43706) affecting its Kibana observability platform, specifically in the Synthetic Monitoring feature. With a CVSS score of 7.6, the flaw allows attackers to abuse privileges by making direct HTTP requests to an endpoint that should have been access-restricted—potentially bypassing user interface constraints and accessing data or triggering actions without appropriate authorization.

The vulnerability stems from improper authorization checks on the synthetics endpoint. In vulnerable Kibana versions, users with lower privileges might access Synthetic monitor functionality via direct API requests, regardless of the role-based restrictions enforced in the UI. This gap could result in unauthorized data visibility or service misuse, depending on how the monitor is configured.

This flaw affects Kibana 8.12.0 and older and was fixed in Kibana 8.12.1. Elastic urges all customers to upgrade immediately to patch the flaw. The vulnerability affects both self-hosted deployments and those running on Elastic Cloud.

If upgrading is not feasible, Elastic provides workarounds to mitigate exposure:

Self-Hosted Kibana

Disable Synthetics Monitoring:
Add the following to your kibana.yml file:
```
xpack.uptime.enabled: false
```
Apply Index Block on Synthetics Data:
Make the synthetics-* indices read-only using Elastic’s dynamic index settings or the dedicated block API. This ensures:
- Ongoing writes are safely completed before locking
- No new data can be added post-block

Elastic Cloud

Apply Read-Only Block:
Use index management to set a read block on all synthetics-* indices. This prevents any API or UI operations from modifying synthetic data without restricting access to existing monitoring logs.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply