CVE-2024-11390
📋 TL;DR
This vulnerability allows attackers to upload malicious HTML/JavaScript files through Kibana's Synthetics app, leading to cross-site scripting (XSS) attacks. Users with access to the Synthetics app or write permissions to synthetics indices are affected. The attack requires authenticated access but can lead to arbitrary JavaScript execution in victims' browsers.
💻 Affected Systems
- Kibana
📦 What is this software?
Kibana by Elastic
Kibana by Elastic
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full control of victim's Kibana session, steals sensitive data, performs actions as the victim, and potentially pivots to other systems.
Likely Case
Attacker executes malicious JavaScript in authenticated users' browsers, stealing session cookies, credentials, or performing unauthorized actions within Kibana.
If Mitigated
With proper access controls and file upload restrictions, impact is limited to users who can already access the Synthetics functionality.
🎯 Exploit Status
Exploitation requires authenticated access to Kibana with Synthetics app permissions. Attack involves uploading crafted HTML/JavaScript files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.17.24 and 8.12.0
Vendor Advisory: https://discuss.elastic.co/t/kibana-7-17-24-and-8-12-0-security-update-esa-2024-20/377712
Restart Required: Yes
Instructions:
1. Backup Kibana configuration and data. 2. Download and install Kibana version 7.17.24 or 8.12.0 from Elastic's official repository. 3. Restart Kibana service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Synthetics App Access
allLimit access to Kibana's Synthetics app to only necessary users through role-based access control.
# Configure Kibana roles.yml to restrict synthetics access
# Use Kibana Spaces to isolate synthetics functionality
Disable File Uploads
allDisable or restrict file upload functionality in Kibana if not required for your use case.
# Configure Kibana to disable unnecessary file upload endpoints
# Use web application firewall to block malicious uploads
🧯 If You Can't Patch
- Implement strict access controls to limit who can use the Synthetics app or write to synthetics indices.
- Deploy a web application firewall (WAF) with rules to detect and block malicious file uploads and XSS payloads.
🔍 How to Verify
Check if Vulnerable:
Check Kibana version via API: curl -X GET 'http://localhost:5601/api/status' or check Kibana interface. Versions before 7.17.24 or 8.12.0 are vulnerable.Check Version:
curl -X GET 'http://localhost:5601/api/status' | grep -o '"version":"[^"]*"'Verify Fix Applied:
Verify Kibana version is 7.17.24 or 8.12.0 or later. Test that file uploads in Synthetics app are properly validated.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to Kibana endpoints
- Multiple failed upload attempts
- Suspicious JavaScript or HTML file uploads
Network Indicators:
- HTTP POST requests to Kibana upload endpoints with unusual file types
- Traffic patterns indicating file upload exploitation
SIEM Query:
source="kibana.log" AND ("upload" OR "synthetics") AND ("html" OR "javascript" OR "js") AND status=200