CVE-2024-43707
📋 TL;DR
This CVE describes an information disclosure vulnerability in Kibana where users without Fleet privileges can view Elastic Agent policies that may contain sensitive data. The vulnerability affects Kibana instances with Elastic Agent integrations enabled. Sensitive information exposure depends on which integrations are configured and their versions.
💻 Affected Systems
- Kibana
📦 What is this software?
Kibana by Elastic
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access Elastic Agent policies containing API keys, credentials, configuration secrets, or other sensitive integration data, potentially leading to lateral movement, data exfiltration, or further system compromise.
Likely Case
Unauthorized users within the organization could view agent policies containing integration configuration details, potentially exposing internal system information or limited credentials.
If Mitigated
With proper access controls and network segmentation, impact is limited to information disclosure within authorized user groups.
🎯 Exploit Status
Exploitation requires authenticated access to Kibana but does not require Fleet privileges. The vulnerability is in authorization logic rather than authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kibana 8.15.0 and later
Vendor Advisory: https://discuss.elastic.co/t/kibana-8-15-0-security-update-esa-2024-29-esa-2024-30/373521
Restart Required: No
Instructions:
1. Upgrade Kibana to version 8.15.0 or later. 2. Verify the upgrade completed successfully. 3. No restart required for Kibana services.
🔧 Temporary Workarounds
Restrict User Access
allLimit Kibana access to only users who require it and implement principle of least privilege.
Review Agent Policies
allAudit Elastic Agent policies to ensure they don't contain unnecessary sensitive information.
🧯 If You Can't Patch
- Implement strict access controls and audit all user permissions in Kibana
- Monitor for unauthorized access attempts to Fleet or agent policy endpoints
🔍 How to Verify
Check if Vulnerable:
Check Kibana version via Settings > About in Kibana UI or via API call to /api/statusCheck Version:
curl -X GET "http://localhost:5601/api/status" -H "kbn-xsrf: true"Verify Fix Applied:
Verify Kibana version is 8.15.0 or later and test that users without Fleet privileges cannot access agent policies📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Fleet endpoints
- User sessions accessing agent policy APIs without proper permissions
Network Indicators:
- HTTP requests to /api/fleet/agent_policies or similar endpoints from unauthorized users
SIEM Query:
event.dataset: "kibana.log" AND message: "*agent_policies*" AND NOT user.roles: "*fleet*"