CVE-2024-4323: A critical memory corruption vulnerability in Fluent Bit, impacting cloud services. Learn its effects and mitigation strategies.
CVE-2024-4323, also known as “Linguistic Lumberjack,” is a critical memory corruption vulnerability discovered by Tenable Research in Fluent Bit, a core component in the monitoring infrastructure of many cloud services. This blog post aims to provide a comprehensive overview of this vulnerability, its impact, whether it has been exploited, and how to mitigate it.
Affected products: |
Fluent Bit versions 2.0.7 thru 3.0.3 |
Product category: |
Text |
Severity: |
Critical |
Type: |
Memory Corruption Vulnerability leadinf to denial of service (DoS), information leakage and remote code execution (RCE) |
Impact: |
Confidentiality (H), Integrity (H), Availability (H) |
PoC: |
|
Exploit in the wild |
No evidence |
CISA Catalog |
No |
Remediation action |
Linguistic Lumberjack is fixed in the main source branch, expected also in release 3.0.4 |
MITRE advisory |
CVE-2024-4323 is a memory corruption vulnerability in Fluent Bit, an open-source log processor and forwarder used extensively in cloud services for aggregating and shipping logs. Discovered by Tenable Research, this flaw occurs due to improper handling of certain string operations within the Fluent Bit’s parsing routines. The vulnerability can be exploited by an attacker to execute arbitrary code, leading to a complete compromise of the affected system (Microsoft Fabric Community) (DAX Patterns).
CVE-2024-4323 is a significant vulnerability that underscores the importance of maintaining up-to-date software and implementing robust security practices in your cloud infrastructure.
By promptly updating Fluent Bit and adopting comprehensive security measures, you can protect your systems from potential exploitation. Tenable researchers discovered that they could access various metrics and logging endpoints internal to the cloud service.
Among these endpoints were several Fluent Bit instances. Accessing these endpoints could result in cross-tenant information leakage. Further testing in an isolated environment revealed a memory corruption issue.
Fluent Bit’s monitoring API allows administrators and users to query and monitor internal service information, such as service uptime, plugin metrics, and health checks. Specifically, the endpoints /api/v1/traces and /api/v1/trace enable users to manage and retrieve trace information. Even if no traces are configured, the API endpoint remains queryable by any user with access.
$ curl 127.0.0.1:2020/api/v1/trace/input_dummy
{"status":"ok"}
During the handling of requests to the /api/v1/traces endpoint, the data types of input names are not properly validated and are incorrectly assumed to be valid MSGPACK_OBJECT_STRs.
By submitting non-string values, such as integers, in the “inputs” array of a request, various memory corruption issues can occur. In the function flb_sds_create_len(), which assigns the input_name variable, passing an integer leads to using a pointer to the start of the inputs array and the raw integer value as the “size” of the value.
In their lab environment, researchers could reliably exploit this issue to crash the service, causing a denial-of-service (DoS) scenario. Additionally, they could retrieve chunks of adjacent memory returned in HTTP responses.
Although this typically revealed previous metrics requests, researchers occasionally retrieved partial secrets, indicating potential sensitive information leaks.
Exploiting this issue for remote code execution depends on several factors, such as host architecture and operating system. While heap buffer overflows can be exploitable, developing a reliable exploit is complex and time-consuming.
Researchers believe the most immediate risks are the ease of executing DoS attacks and information leaks.
Fluent Bit’s popularity has significantly increased over the last year and a half, with the total number of downloaded and deployed reaching over 13 billion last March, following a three billion downloads total reported in October 2022.
Additionally, Fluent Bit is used by cyber security firms like Trend Micro and Crowdstrike, and various other technology companies, such as VMware, Adobe, Intel, Dell, and Cisco.
If you are using Fluent Bit in your logging infrastructure, particularly in cloud-based environments, you might be at risk. Fluent Bit is widely adopted in cloud services like AWS, Azure, and Google Cloud for log management.
The vulnerability affects versions prior to 2.1.8. To determine if you are affected, check your Fluent Bit version. If it is older than the patched version, immediate action is necessary to mitigate potential risks
As of the latest reports, there have been no confirmed cases of CVE-2024-4323 being actively exploited in the wild. However, due to the critical nature of the vulnerability and the widespread use of Fluent Bit, it is crucial to apply the necessary patches and mitigations as soon as possible.
The high severity of this vulnerability makes it a prime target for attackers, particularly in environments with high-value data.
The issue was ultimately resolved by validating the data types of values in the “inputs” array sent to the “traces” endpoint.
The security bug was reported to the vendor on April 30th by Tenable and on May 15th fixes have been committed to Fluent Bit’s main branch. Official releases containing this patch are expected to ship with Fluent Bit 3.0.4 (Find Linux packages here).
To mitigate the risk posed by CVE-2024-4323, follow these steps:
Until Patches shipping with Fluent Bit 3.0.4 are available for all impacted platforms, customers who have deployed this logging utility on their own infrastructure can mitigate the issue by limiting access to Fluent Bit’s monitoring API to authorized users and services.
Also, to ensure that any potential attacks are blocked and the attack surface is removed, it is possible to disable this vulnerable API endpoint in the case that it is not being used.
For further information and details, you can read more from Tenable’s research.
Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: