CVE-2024-37279
📋 TL;DR
This vulnerability allows view-only users in Kibana to abuse the run_soon API to trigger continuous execution of alerting rules. This could lead to resource exhaustion and system availability issues if rules run complex queries. Organizations using Kibana with alerting features and view-only user accounts are affected.
💻 Affected Systems
- Kibana
📦 What is this software?
Kibana by Elastic
⚠️ Risk & Real-World Impact
Worst Case
Denial of service through resource exhaustion, potentially crashing Kibana instances or degrading Elasticsearch performance due to continuous execution of complex alert queries.
Likely Case
Degraded system performance, increased resource consumption, and potential alert fatigue from repeated rule executions.
If Mitigated
Minimal impact with proper access controls and monitoring in place to detect abnormal rule execution patterns.
🎯 Exploit Status
Exploitation requires view-only user credentials and knowledge of the run_soon API endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kibana 8.14.0
Vendor Advisory: https://discuss.elastic.co/t/kibana-8-14-0-security-update-esa-2024-15/360887
Restart Required: Yes
Instructions:
1. Backup Kibana configuration and data. 2. Download Kibana 8.14.0 or later from Elastic website. 3. Stop Kibana service. 4. Install/upgrade to patched version. 5. Restart Kibana service. 6. Verify functionality.
🔧 Temporary Workarounds
Restrict view-only user permissions
allRemove or restrict view-only user access to alerting features and APIs.
kibana.yml: xpack.alerting.rules.minimumScheduleInterval.value: 1m
kibana.yml: xpack.alerting.rules.minimumScheduleInterval.unit: 'seconds'
Implement API rate limiting
allConfigure rate limiting for alerting APIs to prevent abuse.
Configure through Kibana security settings or reverse proxy
🧯 If You Can't Patch
- Implement strict role-based access control to limit view-only users' permissions
- Monitor alert execution logs for abnormal patterns and implement alerting on excessive rule runs
🔍 How to Verify
Check if Vulnerable:
Check Kibana version: if version < 8.14.0 and alerting is enabled, system is vulnerable.Check Version:
curl -X GET 'http://localhost:5601/api/status' | grep numberVerify Fix Applied:
Verify Kibana version is 8.14.0 or later and test that view-only users cannot trigger continuous rule execution.📡 Detection & Monitoring
Log Indicators:
- Excessive 'run_soon' API calls from view-only users
- Unusually frequent alert rule executions
- High resource usage patterns in Kibana logs
Network Indicators:
- Repeated POST requests to /api/alerting/rule/*/_run_soon endpoint
- Increased network traffic to Kibana alerting APIs
SIEM Query:
source="kibana.log" AND ("run_soon" OR "alerting/rule") | stats count by user, rule_id | where count > threshold