Researchers have found a extreme reminiscence corruption vulnerability inside a cloud logging utility used throughout main cloud platforms.
The service, Fluent Bit, is an open supply device for accumulating, processing, and forwarding logs and different kinds of software knowledge. It is one of many extra common items of software program on the market, with greater than three billion downloads as of 2022, and a brand new 10 million or so deployments with every passing day. It is utilized by main organizations resembling VMware, Cisco, Adobe, Walmart, and LinkedIn, and almost each main cloud service supplier, together with AWS, Microsoft, and Google Cloud.
The difficulty with Fluent Bit, dubbed “Linguistic Lumberjack” in a new report from Tenable, lies in how the service’s embedded HTTP server parses hint requests. Manipulated in a technique or one other, it will probably trigger denial of service (DoS), knowledge leakage, or distant code execution (RCE) in a cloud setting.
“Everybody will get hyped a couple of vulnerability in Azure, AWS, GCP, however no person’s actually trying on the applied sciences that make up all of those main cloud providers – frequent, core items of software program that now have an effect on each main cloud supplier,” says Jimi Sebree, senior employees analysis engineer with Tenable. “It’s good to be searching for software safety bombs and like elements of the providers, not simply the providers themselves.”
The Linguistic Lumberjack Impact
Tenable researchers initially have been trying into a wholly separate safety concern in an undisclosed cloud service once they realized one thing sudden was occurring. From the place they have been sitting, it appeared they have been capable of entry a variety of the cloud service supplier’s (CSP) personal inner metrics and logging endpoints. Amongst these have been cases of Fluent Bit.
This cross-tenant knowledge leakage got here from endpoints in Fluent Bit’s monitoring software programming interface (API), designed to permit customers to question and monitor its inner knowledge. After some testing, although, a little bit of leaky knowledge turned out to be solely the introduction to a deeper drawback.
For a specific endpoint – /api/v1/traces – the kinds of knowledge handed as enter names weren’t correctly validated previous to being parsed by this system. So by passing non-string values, an attacker may trigger all types of reminiscence corruption points in Fluent Bit. The researchers tried out quite a lot of constructive and adverse integer values, particularly, to efficiently trigger errors for which the service would crash and leak probably delicate knowledge.
Attackers may additionally probably use this similar trick to realize RCE capabilities in a focused setting. Nevertheless, Tenable famous, creating such an exploit would require a great deal of effort, being custom-made to the goal’s explicit working system and structure.
What to Do About It
The bug exists in Fluent Bit variations 2.0.7 by 3.0.3. It is being tracked underneath CVE-2024-4323, and various sites have assigned it “essential” CVSS scores of over 9.5 out of 10. After it was reported on April 30, Fluent Bit’s maintainers updated the service to correctly validate knowledge sorts in that problematic endpoint’s enter area. The repair was utilized to the venture’s primary department on GitHub on Might 15.
Organizations with Fluent Bit deployed in their very own infrastructure and environments are suggested to replace as quickly as attainable. Alternatively, Tenable suggests, directors can overview any configurations related to Fluent Bit’s monitoring API to make sure that solely licensed customers and providers can question it – and even no customers or providers in any respect.
