CVE-2024-37285
📋 TL;DR
A deserialization vulnerability in Kibana allows authenticated attackers with specific Elasticsearch and Kibana privileges to execute arbitrary code by uploading malicious YAML documents. This affects Kibana instances where users have write access to .kibana_ingest* system indices with restricted access enabled, plus specific Kibana Fleet or Integration privileges.
💻 Affected Systems
- Kibana
📦 What is this software?
Kibana by Elastic
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code with Kibana service account privileges, potentially leading to data exfiltration, lateral movement, or ransomware deployment.
Likely Case
Privileged authenticated users could exploit this to gain elevated access, modify configurations, or access sensitive data within the Kibana/Elasticsearch environment.
If Mitigated
With proper privilege separation and access controls, only authorized administrators could potentially exploit this, limiting blast radius.
🎯 Exploit Status
Requires authenticated user with specific privilege combinations; attacker needs knowledge of both Elasticsearch and Kibana privilege systems
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kibana 8.15.1 (referenced in advisory)
Vendor Advisory: https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119
Restart Required: Yes
Instructions:
1. Upgrade Kibana to version 8.15.1 or later. 2. Restart Kibana service. 3. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Restrict Privilege Combinations
allRemove the specific privilege combinations required for exploitation from user roles
Review and modify Elasticsearch roles to ensure no users have both: write on .kibana_ingest* indices with allow_restricted_indices=true AND Kibana Fleet/Integration privileges
🧯 If You Can't Patch
- Implement strict role-based access control to prevent any user from having the required privilege combination
- Monitor .kibana_ingest* indices for unusual write activity and YAML file uploads
🔍 How to Verify
Check if Vulnerable:
Check Kibana version and review user roles for the specific privilege combinations described in the CVECheck Version:
curl -X GET "localhost:5601/api/status" | grep "version"Verify Fix Applied:
Verify Kibana version is 8.15.1 or later and that the patch has been applied📡 Detection & Monitoring
Log Indicators:
- Unusual YAML file uploads to Kibana
- Suspicious activity in .kibana_ingest* indices
- Unexpected process execution from Kibana service account
Network Indicators:
- Unusual outbound connections from Kibana server
- Suspicious payloads in Kibana API requests
SIEM Query:
source="kibana.log" AND ("yaml" OR ".kibana_ingest" OR "deserialization")