CVE-2023-46667 – Fleet Server versions 8.10.0 through 8.10.2 log... (How to Fix)

Q: How do I fix CVE-2023-46667?

1. Backup configuration and data. 2. Update Fleet Server to version 8.10.3 via package manager or manual installation. 3. Restart Fleet Server service. 4. Verify logs no longer contain enrollment tokens.

Q: What is the severity of CVE-2023-46667?

CVE-2023-46667 has a CVSS score of 8.1 (HIGH). Fleet Server versions 8.10.0 through 8.10.2 log agent enrollment tokens in plain text, allowing attackers who access logs to enroll unauthorized agents. This could lead to data exfiltration or malicious event injection. Organizations using affected Elastic Fleet Server versions are vulnerable.

📋 TL;DR

Fleet Server versions 8.10.0 through 8.10.2 log agent enrollment tokens in plain text, allowing attackers who access logs to enroll unauthorized agents. This could lead to data exfiltration or malicious event injection. Organizations using affected Elastic Fleet Server versions are vulnerable.

💻 Affected Systems

Products:

Elastic Fleet Server

Versions: >= v8.10.0 and < v8.10.3

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with logging enabled are affected; the vulnerability exists in default logging behavior.

📦 What is this software?

Fleet Server by Elastic

View all CVEs affecting Fleet Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers enroll malicious agents, exfiltrate Elasticsearch secrets and third-party credentials, inject false events, and compromise the entire monitoring infrastructure.

🟠

Likely Case

Unauthorized agent enrollment leading to data leakage from Elasticsearch and potential manipulation of monitoring data.

🟢

If Mitigated

Limited impact with proper log access controls and network segmentation preventing unauthorized log access.

🌐 Internet-Facing: HIGH if logs are exposed or accessible via web interfaces, as tokens could be harvested remotely.

🏢 Internal Only: MEDIUM requiring internal access to logs, but still significant due to potential lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to log files containing plaintext tokens; no authentication bypass needed once logs are accessed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v8.10.3

Vendor Advisory: https://discuss.elastic.co/t/fleet-server-v8-10-3-security-update/344737

Restart Required: Yes

Instructions:

1. Backup configuration and data. 2. Update Fleet Server to version 8.10.3 via package manager or manual installation. 3. Restart Fleet Server service. 4. Verify logs no longer contain enrollment tokens.

🔧 Temporary Workarounds

Restrict Log File Access

linux

Set strict file permissions on Fleet Server log directories to prevent unauthorized access.

chmod 600 /var/log/fleet-server/*.log
chown fleet-server:fleet-server /var/log/fleet-server/*.log

Disable Detailed Logging

all

Reduce logging verbosity to minimize token exposure in logs.

Set logging.level in fleet-server.yml to 'error' or 'warn'

🧯 If You Can't Patch

Implement strict access controls on log storage and rotation to prevent unauthorized access.
Monitor for unauthorized agent enrollment attempts and review agent policies regularly.

🔍 How to Verify

Check if Vulnerable:

Check Fleet Server version and examine log files for plaintext enrollment tokens (look for strings resembling tokens in log entries).

Check Version:

fleet-server --version

Verify Fix Applied:

After patching, confirm version is 8.10.3+ and verify logs no longer contain enrollment tokens in plaintext.

📡 Detection & Monitoring

Log Indicators:

Unauthorized agent enrollment events
Log entries containing enrollment tokens
Unexpected new agents in Fleet UI

Network Indicators:

Unusual agent communication patterns
Connections from unauthorized IPs to Fleet Server

SIEM Query:

source:"fleet-server" AND ("enrollment" OR "token") AND NOT user:"expected_user"

📊 Metadata

CVE ID: CVE-2023-46667

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-532

Published: October 26, 2023

Last Updated: November 21, 2024

🔗 References

https://discuss.elastic.co/t/fleet-server-v8-10-3-security-update/344737 Release Notes
https://www.elastic.co/community/security Vendor Advisory
https://discuss.elastic.co/t/fleet-server-v8-10-3-security-update/344737 Release Notes
https://www.elastic.co/community/security Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46667, you might also want to check these: