Pierluigi Paganini
May 21, 2024
Tenable researchers have discovered a severe vulnerability in the Fluent Bit utility, which is used on major cloud platforms.
Fluent Bit is an open-source, lightweight, and high-performance log processor and forwarder. It is designed to collect, process, and ship logs and other types of data from various sources to different destinations. Fluent Bit is part of the Fluentd ecosystem and is optimized for resource efficiency, making it suitable for environments with limited resources, such as IoT devices, edge computing, and containerized applications.
The tool had over 3 billion downloads as of 2022 and approximately has 10 million new deployments each day.
The utility is used by major organizations such as VMware, Cisco, Adobe, Walmart, Splunk, Intel, Arm, Adobe and LinkedIn, and almost any cloud service provider, including AWS, Microsoft, and Google Cloud.
Researchers at cybersecurity firm Tenable have discovered a vulnerability in the Fluent Bit utility, called Linguistic Lumberjack, which is tracked CVE-2024-4323 (CVSS score of 9.8).
The vulnerability can trigger a denial-of-service (DoS) condition, lead to an information disclosure, and potentially remote code execution (RCE).
Tenable discovered the vulnerability in the Fluent Bit monitoring API that allows users or services with access to it to launch a Denial of Service (DoS) attack or obtain potentially sensitive information.
Fluent Bit’s monitoring API allows administrators to query and monitor internal service information through various HTTP endpoints, such as those for service uptime and plugin metrics. However, the researchers discovered that endpoints /api/v1/traces and /api/v1/trace, which manage trace configurations, can be accessed by any user with API access.
The vulnerability arises during the parsing of requests to these endpoints, where the data types of input names are not properly validated. They are mistakenly assumed to be valid strings (MSGPACK_OBJECT_STRs). The researchers discovered that an attacker can pass non-string values, such as integers, in the “inputs” array, leading to memory corruption issues. Specifically, the flb_sds_create_len() function can misinterpret the values, causing potential vulnerabilities.
“In their lab environment, the researchers were able to reliably exploit this issue to crash the service and cause a denial of service scenario. They were also able to retrieve chunks of adjacent memory, which are returned in the HTTP responses. While this is generally unlikely to reveal anything other than previous metrics requests, the researchers were able to occasionally retrieve partial secrets during their testing, indicating that this issue could potentially leak sensitive information.” reads the report published by Tenable. “As for the remote code execution possibilities of this issue, exploitation is dependent on a variety of environmental factors such as host architecture and operating system. While heap buffer overflows such as this are known to be exploitable, creating a reliable exploit is not only difficult, but incredibly time intensive. The researchers believe that the most immediate and primary risks are those pertaining to the ease with which DoS and information leaks can be accomplished.”
The flaw was introduced in version 2.0.7 and exists thru 3.0.3. It is addressed in the main source branch and is expected in release 3.0.4.
Tenable also published a proof-of-concept (PoC) to trigger a DoS condition.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Fluent Bit)
