Thursday, January 16, 2025
HomeCVE/vulnerabilityCritical Memory Corruption In Cloud Logging Infrastructure Enables Code Execution Attack

Critical Memory Corruption In Cloud Logging Infrastructure Enables Code Execution Attack

Published on

SIEM as a Service

Follow Us on Google News

A new critical vulnerability has been discovered in Fluent Bit’s built-in HTTP server, which has been termed “Linguistic Lumberjack” (CVE-2024-4323).

Exploiting this vulnerability can also lead to a denial of service, information disclosure, or remote code execution. Its severity has been given as 9.8 (Critical).

However, this vulnerability exists in Fluent Bit versions 2.0.7 through 3.0.3. The patch for this vulnerability is expected in the latest release of Fluent Bit 3.0.4.

Fluent Bit is a lightweight, open-source data collector and processor that is capable of handling large volumes of log data from multiple sources.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Linguistic Lumberjack Vulnerability – CVE-2024-4323

According to the reports shared by Tenable, this vulnerability was related to memory corruption in Fluent Bit’s built-in HTTP server, which could be exploited to achieve a Denial of Service, Information Disclosure, or Remote code execution. 

Fluent Bit’s monitoring API is designed to allow administrators or other users to query and monitor information internal to the service itself. 

Among the Fluent Bit’s endpoints /api/v1/traces and /api/v1/trace allow end users to enable, disable or retrieve information about configured traces. Nevertheless, any users can access this API endpoint query regardless of traces being configured or not.

The vulnerability exists due to the improper validation of the data types of input names when parsing the requests to the /api/v1/traces endpoint.

When non-string values are parsed, it is possible to cause several memory corruptions on Fluent Bit. 

Further analysing the code, it was observed that this activity was due to the input_name variable being assigned by the flb_sds_create_len() function.

When the values of input_name variable are passed as integers, the pointer to this value is given as the input and the raw integer value is provided as the “size” of the value.

Location of Vulnerable code (Source: Tenable)

When large integer values or negative values are passed, Fluent Bit can crash due to a “wild copy” call to the memcpy() during an attempt to write to the protected memory. 

Additionally, negative values can cause heap overwrites of adjacent memory, resulting in a similar situation.

There were two other scenarios of integer values with large enough values and smaller or more targeted integer values for initiating stack corruption.

Testing The Exploitation

Researchers successfully exploited this vulnerability, which resulted in a service crash and a denial of service. They could also retrieve chunks of adjacent memory in the HTTP responses. 

On analyzing these chunks, researchers crafted further payloads that revealed partial secrets that could potentially leak sensitive information.

This resulted in an information disclosure.

For remote code execution, several factors were dependent on the host architecture and operating system.

Though crafting an exploit might be time-sensitive, it was still exploitable. However, this commit fixes this improper input validation.

Proof Of Concept

Denial Of Service

The below Python code can cause Fluent Bit to crash and become unavailable. The requests are made to the traces endpoint.

Fluent Bit users are recommended to upgrade to the latest version to prevent threat actors from exploiting this vulnerability.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Hackers Exploiting California Wildfire Sparks to Launching Phishing Attacks

As California grapples with devastating wildfires, communities are rallying to protect lives and property....

AIRASHI Botnet Exploiting 0-Day Vulnerabilities In Large Scale DDoS Attacks

AISURU botnet launched a DDoS attack targeting Black Myth: Wukong distribution platforms in August...

New Botnet Exploiting DNS Records Misconfiguration To Deliver Malware

Botnets are the networks of compromised devices that have evolved significantly since the internet's...

FTC Slams GoDaddy For Not Implement Standard Security Practices Following Major Breaches

The Federal Trade Commission (FTC) has announced that it will require GoDaddy Inc. to...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Hackers Exploiting California Wildfire Sparks to Launching Phishing Attacks

As California grapples with devastating wildfires, communities are rallying to protect lives and property....

AIRASHI Botnet Exploiting 0-Day Vulnerabilities In Large Scale DDoS Attacks

AISURU botnet launched a DDoS attack targeting Black Myth: Wukong distribution platforms in August...

New Botnet Exploiting DNS Records Misconfiguration To Deliver Malware

Botnets are the networks of compromised devices that have evolved significantly since the internet's...