Tuesday, June 25, 2024

Critical Memory Corruption In Cloud Logging Infrastructure Enables Code Execution Attack

Fluent Bit, a widely used open-source data collector and processor, has been found to have a major memory loss flaw.

Companies utilizing Fluent Bit in their offerings  (Source: Fluent Bit)
Companies utilizing Fluent Bit in their offerings  (Source: Fluent Bit)

Many big cloud providers use Fluent Bit for their logging because it is easy to use and can be scaled up or down as needed.

Tenable Research found the flaw, which affects Fluent Bit’s built-in HTTP server and has been designated CVE-2024-4323.

This bug could cause a denial of service (DoS), the loss of information, or the execution of code from afar (RCE).

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Technical Details

A security flaw in a cloud service was being looked into when the weakness was found.

Researchers discovered they could access several metrics and logging URLs, such as several Fluent Bit instances.

The problem happens because the data types in the “inputs” array of calls to the /api/v1/traces endpoint are not correctly checked.

Example request from https://docs.fluentbit.io/manual/administration/troubleshooting
Example request from https://docs.fluentbit.io/manual/administration/troubleshooting

It can damage memory by sending numbers that aren’t strings, like integers.

This could cause the program to crash, send too much data to the heap, or lose data.

Snippets of Bug Locations
Snippets of Bug Locations

CVE-2024-4323: A Closer Look

There are a few ways to take advantage of the memory corruption bug in Fluent Bit’s tracking API:

  • Large Integer Values: A “wild copy” in a later call to memcpy() could cause the program to crash.
  • Negative Values: Values between 1 and 16 can cause the heap to overwrite memory next to them.
  • Small Integer Values: This can let the client see memory that is close by. If the value is -17, it leads to a crash because of a null pointer dereference after a failed malloc() of zero.
  • Targeted Integer Values: The following values can cause stack corruption and other memory corruption problems.

The experts used this flaw in the lab to crash the service and set off a denial-of-service event.

They could also get back pieces of memory next to each other, which sometimes revealed parts of secrets and could mean that information was getting out.

Mitigation and Recommendations

Fluent Bit’s developers were notified of the problem on April 30, 2024, and a fix was added to the project’s main branch on May 15, 2024.

The fix includes ensuring the data types in the “inputs” array are correct.

It is suggested that users update to the newest version (3.0.4) as soon as it comes out.

If you can’t upgrade, you should look at Fluent Bit’s monitoring API and make sure that only approved users can access it.

The above debugger output indicates a heap-buffer overflow, but ultimately, the crash is caused by an attempt to write to a protected memory region.

If you depend on cloud services that use Fluent Bit, you should contact the cloud source to ensure you get any updates or fixes as soon as possible.

Big cloud service companies like Microsoft, Amazon, and Google have been told about the problem.

The discovery of CVE-2024-4323 shows the importance of logging and monitoring tools to get regular updates and strict security measures.

Businesses need to use defense-in-depth strategies and the concept of least privilege to prevent attackers from abusing their power.

Since logging infrastructure is an important part of both cloud-based and on-premises settings, fixing these problems immediately is necessary to maintain security.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers


Latest articles

Hackers Attacking Windows IIS Server to Upload Web Shells

Windows IIS Servers often host critical web applications and services that provide a gateway...

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles