Researchers have discovered a serious memory corruption vulnerability within a cloud recording tool used across major cloud platforms.
The Fluent Bit service is an open source tool for collecting, processing, and forwarding logs and other types of application data. It is one of the most popular programs, and it contains more than 3 billion downloads As of 2022, and 10 million or so new postings with each passing day. It is used by major enterprises such as VMware, Cisco, Adobe, Walmart, LinkedIn, and almost all major cloud providers, including AWS, Microsoft, and Google Cloud.
The problem with Fluent Bit, which was dubbed the “Linguistic Lumberjack” in New report from Tenable, lies in how the HTTP server embedded in the service distributes tracking requests. Tampering with it in some way can lead to a denial of service (DoS), data leak, or remote code execution (RCE) in a cloud environment.
“Everyone is excited about A.J Vulnerability in Azure, AWS, GCP, “But no one is really looking at the technologies that make up all these major cloud services — common core pieces of software that now impact every major cloud provider,” says Jamie Seabury, senior research engineer at Tenable. “You have to look for security bombs for applications and similar components of services, not just the services themselves.”
The effect of the linguistic lumberjack
The researchers were initially looking into a completely separate security issue in an undisclosed cloud service when they realized something unexpected had happened. From where they were sitting, it appeared that they were able to access a wide range of internal metrics and logging endpoints of the cloud service provider (CSP). One such example is Fluent Bit.
this via tenant The data leak came from endpoints in the Fluent Bit monitoring application programming interface (API), designed to allow users to query and monitor its internal data. After some testing, it turned out that the few leaked data were just a precursor to a deeper problem.
For one particular endpoint – /api/v1/traces – data types passed as input names were not properly validated before being parsed by the program. Therefore, by passing non-string values, an attacker can cause all kinds of memory corruption issues in Fluent Bit. Researchers have experimented with a variety of positive and negative integer values, in particular, to successfully cause errors that crash service and leak potentially sensitive data.
Attackers can also use this same trick to obtain RCE capabilities in a targeted environment. However, Tenable noted that developing such an exploit would require a significant amount of effort, as it would be customized to fit the target's operating system and architecture.
What to do about it
The bug exists in Fluent Bit versions 2.0.7 to 3.0.3. It is tracked under CVE-2024-4323, and Various locations are set It received a “Critical” CVSS score of over 9.5 out of 10. After it was reported on April 30, Fluent Bit moderators Service update To correctly validate data types in the problematic endpoint input field. The fix was applied to the project's master branch on GitHub on May 15.
Organizations using Fluent Bit deployed in their infrastructure and environments are advised to upgrade as soon as possible. Instead, Tenable suggests that administrators can review any relevant configurations of Fluent Bit's monitoring API to ensure that only authorized users and services can query them — or even no users or services at all.
