Share This:

Cybersecurity Threat Advisory

This Cybersecurity Threat Advisory highlights a critical vulnerability discovered within a popular logging and metric solution called Fluent Bit. CVE-2024-4323, a new memory corruption vulnerability, has the potential to cause denial of service (DOS), information leakage, and code execution (RCE). Continue to read this advisory for recommendations to mitigate your risks.

What is the threat?

Fluent Bit is a cloud-logging utility. The threat resides in Fluent Bit HTTP server where it allows free access to various metric and logging endpoints internal to the service, potentially leading to cross-tenant information leakage.

Two endpoints, /api/v1/traces and /api/v1/trace, allow end-users with access to the Monitoring API to enable, disable, and retrieve information about the traces. Attackers can leverage these endpoints to cause a DOS by passing non-string values to the input.

These behaviors affect Fluent Bit versions 2.0.7 through 3.0.3.

Why is it noteworthy?

Fluent Bit is used in a multitude of organizations and it is critical to logging. If an endpoint has improper or exposed network access it could result in a degradation of the service, leakage of information, or even remote code execution.

On top of potentially causing DOS, researchers were able to retrieve chunks of adjacent memory via the returned HTTP responses. Most of the information is related to previous metrics requests. However, occasional exposure of a partial secret occurred, which could lead to the leakage of sensitive information.

Additionally, there is a possibility of remote code execution that is dependent on many factors such as host architecture and operating system due to the heap buffer overflow. However, researchers say it is not only difficult but incredibly time-intensive.

What is the exposure or risk?

This vulnerability has a significant impact on Fluent Bit users. By exploiting CVE-2024-4323, bad actors can cause a DOS, leading to downtime and potential service disruption. Moreover, the information leakage from memory exposure can compromise sensitive data. This can include partial secrets, increasing the risk of further attacks. In rare cases, remote code execution could allow attackers to gain control over the affected systems.

What are the recommendations?

Barracuda MSP recommends the following actions to keep your environment secure:

  • Upgrade to version 3.0.4 or newer as the vulnerability is fixed.
  • Review and limit access to Fluent Bit’s Monitoring API for those who are still on version 3.0.3 and below. Ensure only authenticated users and applications have access to the API.
  • Disable the API if it is not in use to reduce potential attacks.

References:

If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.


Share This:
Devyn Souza

Posted by Devyn Souza

Devyn is a Cybersecurity Analyst at Barracuda. He's a security expert, working on our Blue Team within our Security Operations Center. Devyn supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

Leave a reply

Your email address will not be published. Required fields are marked *