CVE-2024-37287
📋 TL;DR
This CVE describes a prototype pollution vulnerability in Kibana that allows authenticated attackers with specific permissions to execute arbitrary code. It affects Kibana instances where users have ML and Alerting connector access plus write permissions to internal ML indices. The vulnerability enables remote code execution with high impact.
💻 Affected Systems
- Kibana
📦 What is this software?
Kibana by Elastic
Kibana by Elastic
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attacker to execute arbitrary commands, access sensitive data, and potentially pivot to other systems in the environment.
Likely Case
Unauthorized code execution within the Kibana context, leading to data exfiltration, privilege escalation, or deployment of persistent backdoors.
If Mitigated
Limited impact due to proper access controls and network segmentation, potentially only affecting the Kibana service itself.
🎯 Exploit Status
Exploitation requires specific permissions and knowledge of the ML/Alerting connector features.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.14.2 and 7.17.23
Vendor Advisory: https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22/
Restart Required: Yes
Instructions:
1. Backup Kibana configuration and data. 2. Download and install Kibana version 8.14.2 or 7.17.23 from elastic.co. 3. Restart Kibana service. 4. Verify successful upgrade and functionality.
🔧 Temporary Workarounds
Restrict ML and Alerting Access
allTemporarily remove ML and Alerting connector permissions from users who don't absolutely need them.
# Use Kibana role management or Elasticsearch security API to modify user permissions
Network Segmentation
allRestrict network access to Kibana instances to only trusted sources.
# Configure firewall rules to limit Kibana port (default 5601) access
🧯 If You Can't Patch
- Implement strict access controls to limit who has ML and Alerting connector permissions
- Monitor Kibana logs for unusual ML index write activities and alerting connector usage
🔍 How to Verify
Check if Vulnerable:
Check Kibana version via web interface or command line. Versions before 8.14.2 or 7.17.23 are vulnerable.Check Version:
curl -X GET "localhost:5601/api/status" | grep numberVerify Fix Applied:
Verify Kibana version shows 8.14.2 or 7.17.23 or higher after patching.📡 Detection & Monitoring
Log Indicators:
- Unusual ML index write operations
- Suspicious alerting connector modifications
- Unexpected process executions from Kibana
Network Indicators:
- Unusual outbound connections from Kibana server
- Traffic to unexpected destinations on non-standard ports
SIEM Query:
source="kibana.log" AND ("ML index" OR "alerting connector") AND ("write" OR "modify" OR "execute")