Researchers have found a extreme reminiscence corruption vulnerability inside a cloud logging utility used throughout main cloud platforms.
The service, Fluent Bit, is an open supply software for gathering, processing, and forwarding logs and different sorts of software information. It is one of many extra well-liked items of software program on the market, with greater than three billion downloads as of 2022, and a brand new 10 million or so deployments with every passing day. It is utilized by main organizations equivalent to VMware, Cisco, Adobe, Walmart, and LinkedIn, and almost each main cloud service supplier, together with AWS, Microsoft, and Google Cloud.
The difficulty with Fluent Bit, dubbed “Linguistic Lumberjack” in a new report from Tenable, lies in how the service’s embedded HTTP server parses hint requests. Manipulated in a technique or one other, it might trigger denial of service (DoS), information leakage, or distant code execution (RCE) in a cloud surroundings.
“Everybody will get hyped a few vulnerability in Azure, AWS, GCP, however no one’s actually wanting on the applied sciences that make up all of those main cloud companies – widespread, core items of software program that now have an effect on each main cloud supplier,” says Jimi Sebree, senior employees analysis engineer with Tenable. “It’s essential to be in search of software safety bombs and like parts of the companies, not simply the companies themselves.”
The Linguistic Lumberjack Impact
Tenable researchers initially had been wanting into a wholly separate safety situation in an undisclosed cloud service after they realized one thing sudden was occurring. From the place they had been sitting, it appeared they had been capable of entry a variety of the cloud service supplier’s (CSP) personal inside metrics and logging endpoints. Amongst these had been situations of Fluent Bit.
This cross-tenant information leakage got here from endpoints in Fluent Bit’s monitoring software programming interface (API), designed to permit customers to question and monitor its inside information. After some testing, although, a little bit of leaky information turned out to be solely the introduction to a deeper downside.
For a specific endpoint – /api/v1/traces – the sorts of information handed as enter names weren’t correctly validated previous to being parsed by this system. So by passing non-string values, an attacker may trigger every kind of reminiscence corruption points in Fluent Bit. The researchers tried out quite a lot of constructive and damaging integer values, specifically, to efficiently trigger errors for which the service would crash and leak doubtlessly delicate information.
Attackers may additionally doubtlessly use this identical trick to realize RCE capabilities in a focused surroundings. Nonetheless, Tenable famous, growing such an exploit would require a great deal of effort, being custom-made to the goal’s specific working system and structure.
What to Do About It
The bug exists in Fluent Bit variations 2.0.7 via 3.0.3. It is being tracked beneath CVE-2024-4323, and various sites have assigned it “vital” CVSS scores of over 9.5 out of 10. After it was reported on April 30, Fluent Bit’s maintainers updated the service to correctly validate information sorts in that problematic endpoint’s enter subject. The repair was utilized to the challenge’s foremost department on GitHub on Could 15.
Organizations with Fluent Bit deployed in their very own infrastructure and environments are suggested to replace as quickly as potential. Alternatively, Tenable suggests, directors can overview any configurations related to Fluent Bit’s monitoring API to make sure that solely licensed customers and companies can question it – and even no customers or companies in any respect.
