A researcher has demonstrated working exploit code to trigger RCE in the Kibana plugin for Elasticsearch

GarryKillian / Shutterstock

Exploit script capable of triggering a vulnerability in Kibana has been made available on GitHub.

The critical security flaw, tracked as CVE-2019-7609, has been awarded a CVSS base score of 10.00 – the highest score on the vulnerability ratings scale.

Kibana is an open source data visualization plugin designed for Elasticsearch (part of the popular Elastic Stack, or ‘ELK Stack’). Kibana versions before 5.6.15 and 6.6.1 are vulnerable.

The vulnerability was patched in February 2019. According to Elastic’s security advisory, the problem lies within the Timelion visualizer.

An attacker with access to this feature would be able to send a crafted JavaScript code execution command, potentially leading to the execution of arbitrary commands with the permissions of Kibana on the host system.

Environmental variables

Working proof-of-concept code was published by Securitum security researcher Michał Bentkowski as part of a slide deck for a presentation at OWASP Poland Day on October 14.

Exploit code harnessing this research was uploaded to GitHub on October 21.

In a blog post, Bentkowski notes that the prototype pollution in the Timelion function makes it possible to control environmental variables.

Combined with an error-prone menu entry called ‘Canvas’ which prompts vulnerable Kibana versions to try and spawn a new variable, it becomes possible to create a reverse shell and to exploit this to achieve remote code execution (RCE).

Read more security vulnerability news from The Daily Swig

According to Tenable researchers, a BinaryEdge search indicates there are more than 4,200 public Kibana instances, and many are still running vulnerable versions including 6.2.4, 6.3.2, and 6.3.1.

”While the attack would require access to Kibana, an attacker could abuse this flaw to create a reverse shell on the host,” Scott Caveza, research engineering manager at Tenable told The Daily Swig.

“Depending on the permissions of the Kibana process, this could allow an attacker to take complete control of the host.”

”Even with limited control of the host, via the reverse shell, an attacker could utilize their control over the host to probe other hosts on the network and launch attacks from the compromised Kibana host against them,” Caveza added.

Users are encouraged to upgrade to Kibana version 5.6.15 or 6.6.1. Alternatively, Timelion can be disabled by setting timelion to ‘false’ in the kibana.yml configuration file.

“I think that the most prevalent [attack] scenario is leaving Kibana open (either [on a] LAN or on the internet) without authentication,” Bentkowski told The Daily Swig.

“Setting [a] strong password or adding some other means of authentication should strongly limit the risk of the attack. Kibana lacks authentication by default, it needs to be configured manually.”

YOU MIGHT ALSO LIKE Snuffleupagus: Open source security tool hardens PHP sites against cyber-attacks