Get a demo

Voyager18 (research)

How to fix CVE-2024-4323 in Fluent Bit

CVE-2024-4323: A critical memory corruption vulnerability in Fluent Bit, impacting cloud services. Learn its effects and mitigation strategies.

Yair Divinsky | May 21, 2024

CVE-2024-4323, also known as “Linguistic Lumberjack,” is a critical memory corruption vulnerability discovered by Tenable Research in Fluent Bit, a core component in the monitoring infrastructure of many cloud services. This blog post aims to provide a comprehensive overview of this vulnerability, its impact, whether it has been exploited, and how to mitigate it.

TL;DR

Affected products: 

Fluent Bit versions 2.0.7 thru 3.0.3 

Product category: 

Text 

Severity: 

Critical 

Type: 

Memory Corruption Vulnerability leadinf to denial of service (DoS), information leakage and remote code execution (RCE) 

Impact: 

Confidentiality (H), Integrity (H), Availability (H) 

PoC: 

Proof-of-concept script 

Exploit in the wild 

No evidence 

CISA Catalog 

 No

Remediation action 

Linguistic Lumberjack is fixed in the main source branch, expected also in release 3.0.4 

MITRE advisory 

 Read more

What is CVE-2024-4323?

CVE-2024-4323 is a memory corruption vulnerability in Fluent Bit, an open-source log processor and forwarder used extensively in cloud services for aggregating and shipping logs. Discovered by Tenable Research, this flaw occurs due to improper handling of certain string operations within the Fluent Bit’s parsing routines. The vulnerability can be exploited by an attacker to execute arbitrary code, leading to a complete compromise of the affected system (Microsoft Fabric Community) (DAX Patterns). 

CVE-2024-4323 is a significant vulnerability that underscores the importance of maintaining up-to-date software and implementing robust security practices in your cloud infrastructure.

By promptly updating Fluent Bit and adopting comprehensive security measures, you can protect your systems from potential exploitation. Tenable researchers discovered that they could access various metrics and logging endpoints internal to the cloud service.

Among these endpoints were several Fluent Bit instances. Accessing these endpoints could result in cross-tenant information leakage. Further testing in an isolated environment revealed a memory corruption issue. 

Fluent Bit’s monitoring API allows administrators and users to query and monitor internal service information, such as service uptime, plugin metrics, and health checks. Specifically, the endpoints /api/v1/traces and /api/v1/trace enable users to manage and retrieve trace information. Even if no traces are configured, the API endpoint remains queryable by any user with access. 

$ curl 127.0.0.1:2020/api/v1/trace/input_dummy 

{"status":"ok"} 

During the handling of requests to the /api/v1/traces endpoint, the data types of input names are not properly validated and are incorrectly assumed to be valid MSGPACK_OBJECT_STRs.

By submitting non-string values, such as integers, in the “inputs” array of a request, various memory corruption issues can occur. In the function flb_sds_create_len(), which assigns the input_name variable, passing an integer leads to using a pointer to the start of the inputs array and the raw integer value as the “size” of the value. 

Snippets of Bug Locations – from tenable.com

 

In their lab environment, researchers could reliably exploit this issue to crash the service, causing a denial-of-service (DoS) scenario. Additionally, they could retrieve chunks of adjacent memory returned in HTTP responses.

Although this typically revealed previous metrics requests, researchers occasionally retrieved partial secrets, indicating potential sensitive information leaks. 

Exploiting this issue for remote code execution depends on several factors, such as host architecture and operating system. While heap buffer overflows can be exploitable, developing a reliable exploit is complex and time-consuming.

Researchers believe the most immediate risks are the ease of executing DoS attacks and information leaks. 

Fluent Bit’s popularity has significantly increased over the last year and a half, with the total number of downloaded and deployed reaching over 13 billion last March, following a three billion downloads total reported in October 2022.

Additionally, Fluent Bit is used by cyber security firms like Trend Micro and Crowdstrike, and various other technology companies, such as VMware, Adobe, Intel, Dell, and Cisco. 

 

Does CVE-2024-4323 affect me?

If you are using Fluent Bit in your logging infrastructure, particularly in cloud-based environments, you might be at risk. Fluent Bit is widely adopted in cloud services like AWS, Azure, and Google Cloud for log management.

The vulnerability affects versions prior to 2.1.8. To determine if you are affected, check your Fluent Bit version. If it is older than the patched version, immediate action is necessary to mitigate potential risks

Vulnerability trends

As of the latest reports, there have been no confirmed cases of CVE-2024-4323 being actively exploited in the wild. However, due to the critical nature of the vulnerability and the widespread use of Fluent Bit, it is crucial to apply the necessary patches and mitigations as soon as possible.

The high severity of this vulnerability makes it a prime target for attackers, particularly in environments with high-value data.

 

How to fix CVE-2024-4323

The issue was ultimately resolved by validating the data types of values in the “inputs” array sent to the “traces” endpoint. 

The security bug was reported to the vendor on April 30th by Tenable and on May 15th fixes have been committed to Fluent Bit’s main branch. Official releases containing this patch are expected to ship with Fluent Bit 3.0.4 (Find Linux packages here).  

To mitigate the risk posed by CVE-2024-4323, follow these steps: 

  1. Update Fluent Bit – The primary and most effective measure is to upgrade Fluent Bit to version 2.1.8 or later, where the vulnerability has been patched. You can download the latest version from the official Fluent Bit website. 
  2. Apply security best practices: Ensure your logging infrastructure follows best security practices. This includes limiting network exposure of logging endpoints, using strong authentication mechanisms, and applying the principle of least privilege. 
  3. Monitor for suspicious activity: Implement monitoring and alerting mechanisms to detect any unusual activity that may indicate an attempted exploitation of the vulnerability. This can help in early detection and response to potential security incidents (Microsoft Fabric Community) (DAX Patterns) .. 

Until Patches shipping with Fluent Bit 3.0.4 are available for all impacted platforms, customers who have deployed this logging utility on their own infrastructure can mitigate the issue by limiting access to Fluent Bit’s monitoring API to authorized users and services. 

Also, to ensure that any potential attacks are blocked and the attack surface is removed, it is possible to disable this vulnerable API endpoint in the case that it is not being used. 

For further information and details, you can read more from Tenable’s research. 

 

Next steps

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. 2023 Vulnerability watch reports 
  2. The MITRE ATT&CK framework: Getting started
  3. The true impact of exploitable vulnerabilities for 2024
  4. Multi-cloud security challenges – a best practice guide
  5. How to properly tackle zero-day threats

Get rid of silos;

Start owning exposure risk

Test drive the leader in exposure risk management