CVE-2024-23443
📋 TL;DR
This vulnerability allows high-privileged Kibana users with osquery pack creation permissions to upload malicious packs that could cause Kibana availability issues through resource exhaustion. It affects Kibana instances where users have been granted osquery pack management privileges.
💻 Affected Systems
- Kibana
📦 What is this software?
Kibana by Elastic
Kibana by Elastic
⚠️ Risk & Real-World Impact
Worst Case
A malicious insider or compromised high-privileged account could upload a specially crafted osquery pack that causes Kibana to become unresponsive or crash, disrupting monitoring and visualization capabilities.
Likely Case
Accidental or intentional upload of poorly designed osquery packs that consume excessive resources, leading to Kibana performance degradation or temporary unavailability.
If Mitigated
Minimal impact with proper privilege management and monitoring in place, as only authorized users could trigger the issue and it would be quickly detected.
🎯 Exploit Status
Requires authenticated access with osquery pack creation privileges. Exploitation involves uploading a malicious pack file.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kibana 8.14.0, 7.17.22
Vendor Advisory: https://discuss.elastic.co/t/kibana-8-14-0-7-17-22-security-update-esa-2024-11/361460
Restart Required: Yes
Instructions:
1. Backup Kibana configuration and data. 2. Download patched version from Elastic website. 3. Stop Kibana service. 4. Install updated version. 5. Restart Kibana service. 6. Verify functionality.
🔧 Temporary Workarounds
Restrict osquery pack permissions
allRemove osquery pack creation permissions from non-essential users
Review and modify Kibana role-based access control (RBAC) to restrict 'osquery:write' permissions
Implement pack validation
allAdd validation for uploaded osquery packs before deployment
Implement custom validation scripts or use Kibana API to review packs before activation
🧯 If You Can't Patch
- Implement strict least-privilege access control for osquery pack management
- Monitor for unusual osquery pack uploads and resource consumption patterns
🔍 How to Verify
Check if Vulnerable:
Check Kibana version and verify if users have osquery pack creation permissionsCheck Version:
curl -X GET "localhost:5601/api/status" | grep "version"Verify Fix Applied:
Confirm Kibana version is 8.14.0+ or 7.17.22+ and test osquery pack functionality📡 Detection & Monitoring
Log Indicators:
- Unusual osquery pack uploads
- Kibana process resource exhaustion logs
- Error logs related to pack processing
Network Indicators:
- Increased API calls to osquery pack endpoints
- Unusual traffic patterns to Kibana
SIEM Query:
source="kibana.log" AND ("osquery pack" OR "pack upload") AND (error OR warning OR "resource exhaustion")