Critical Memory corruption in cloud Logging infrastructure enables Code Execution Attack

Major cloud providers use Fluent Bit, a logging utility that has a critical memory corruption vulnerability (CVE-2024-4323), also known as Linguistic Lumberjack. 

The vulnerability affects versions 2.0.7 through 3.0.3 of Fluent Bit’s built-in HTTP server and could be exploited for denial-of-service, information disclosure, or even remote code execution. 

Upgrading to Fluent Bit version 3.0.4 or later, which includes the fix, is recommended, and alternatively, limiting access to the vulnerable endpoint can mitigate the risk. 

Companies utilizing Fluent Bit in their offerings

Fluent Bit, a popular open-source log collector (10 million daily deployments), is vulnerable to a critical memory corruption flaw (CVE-2024-4323) in its built-in HTTP server. 

The vulnerability, named Linguistic Lumberjack by Tenable Research, could allow attackers to crash systems (DoS), steal data (information leakage), or even take complete control (RCE), which affects versions 2.0.7 through 3.0.3, with a fix expected in version 3.0.4. 

Tenable researchers investigating a cloud service’s security flaw discovered internal metrics and logging endpoints, including Fluent Bit instances. While access to these endpoints could potentially leak information across tenants, further investigation in an isolated environment revealed a memory corruption vulnerability in Fluent Bit.  

The vulnerability resided in the trace API endpoints (/api/v1/traces and /api/v1/trace) used to manage trace configurations, and any user with access to these endpoints could exploit the vulnerability regardless of trace configuration. 

Example request from https://docs.fluentbit.io/manual/administration/troubleshooting

An exploitable vulnerability exists in the parsing of `/api/v1/traces` requests. Data types within the request’s “inputs” array are assumed to be strings (MSGPACK_OBJECT_STRs) without proper validation. 

Supplying integers instead of strings triggers memory corruption issues during `flb_sds_create_len()`, which interprets the integer as the size of a string value and the array pointer as the string’s beginning, leading to unexpected memory access. 

Snippets of Bug Locations

A heap buffer overflow vulnerability in the “traces” endpoint of Fluent Bit allowed integer manipulation in the “inputs” array. Large or negative integer values could cause crashes due to buffer overflows during memory operations. 

Smaller negative values or values insufficient to crash could leak adjacent memory contents, potentially including partial secrets, as the vulnerability was exploitable for Denial-of-Service (DoS) and information leakage but likely not remote code execution due to the complexity of reliable exploit development.

The code snippet demonstrates a Denial-of-Service (DoS) attack concept targeting a `/api/v1/traces/` endpoint. 

The Python script creates a corrupted JSON payload with an excessively long string (“A” repeated 8 times), a potentially extremely high numeric value (0xfffffff), and another lengthy string (“B” repeated 500 times). 

It then sends this payload via curl to the target server on port 2020 with appropriate headers, whose input could overwhelm the server’s parsing capabilities, potentially leading to a crash. 

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here