A researcher has demonstrated working exploit code to trigger RCE in the Kibana plugin for Elasticsearch
Exploit script capable of triggering a vulnerability in Kibana has been made available on GitHub.
The vulnerability was patched in February 2019. According to Elastic’s security advisory, the problem lies within the Timelion visualizer.
Exploit code harnessing this research was uploaded to GitHub on October 21.
In a blog post, Bentkowski notes that the prototype pollution in the Timelion function makes it possible to control environmental variables.
Combined with an error-prone menu entry called ‘Canvas’ which prompts vulnerable Kibana versions to try and spawn a new variable, it becomes possible to create a reverse shell and to exploit this to achieve remote code execution (RCE).
According to Tenable researchers, a BinaryEdge search indicates there are more than 4,200 public Kibana instances, and many are still running vulnerable versions including 6.2.4, 6.3.2, and 6.3.1.
”While the attack would require access to Kibana, an attacker could abuse this flaw to create a reverse shell on the host,” Scott Caveza, research engineering manager at Tenable told The Daily Swig.
“Depending on the permissions of the Kibana process, this could allow an attacker to take complete control of the host.”
”Even with limited control of the host, via the reverse shell, an attacker could utilize their control over the host to probe other hosts on the network and launch attacks from the compromised Kibana host against them,” Caveza added.
Users are encouraged to upgrade to Kibana version 5.6.15 or 6.6.1. Alternatively, Timelion can be disabled by setting timelion to ‘false’ in the kibana.yml configuration file.
“I think that the most prevalent [attack] scenario is leaving Kibana open (either [on a] LAN or on the internet) without authentication,” Bentkowski told The Daily Swig.
“Setting [a] strong password or adding some other means of authentication should strongly limit the risk of the attack. Kibana lacks authentication by default, it needs to be configured manually.”
YOU MIGHT ALSO LIKE Snuffleupagus: Open source security tool hardens PHP sites against cyber-attacks