Critical Fluent Bit bug affects all major cloud providers, say researchers

Infosec researchers are alerting the industry to a critical vulnerability in Fluent Bit – a logging component used by a swathe of blue chip companies and all three major cloud providers.

Experts at Tenable discovered the flaw (CVE-2024-4323), which can lead to denial of service (DoS) and information leakage, and under the right conditions remote code execution (RCE).

Fluent Bit is an open source logging component with more than 13 million Docker downloads as of March. It's used by the likes of the big three CSPs, Cisco, Dell, Walmart, Lyft, LinkedIn, and more.

Tenable discovered CVE-2024-4323, affecting versions 2.0.7 through 3.0.3, while investigating a separate, as-yet-undisclosed vuln in a cloud service. Researchers found that if they passed non-string values into requests to Fluent Bit's monitoring API, which allows users to gather info such as uptime data and plugin metrics, it led to various memory corruption issues.

Examples include:

• Passing large integer values or negative values can lead to a crash

• Negative values between 1 and 16 can cause heap overwrites of adjacent memory, also leading to a crash

• Integers that are too small can lead to the disclosure of adjacent memory

• Passing -17 as a value specifically leads to a crash

• "Smaller and more targeted integer values" can lead to various stack and memory corruption outcomes

The researchers says they were able to reliably achieve DoS using the vulnerability, and access chunks of adjacent memory including partial secrets, which suggests sensitive information could potentially be leaked. That said, in most scenarios it's unlikely to reveal anything more than previous metrics requests, blogged Jimi Sebree, senior staff research engineer at Tenable.

• OpenSSF sings a Siren song to steer developers away from buggy FOSS
• Researchers call out QNAP for dragging its heels on patch development
• Microsoft fixes a bug abused in QakBot attacks plus a second under exploit
• NHS Digital hints at exploit sightings of Arcserve UDP vulnerabilities

"As for the remote code execution possibilities of this issue, exploitation is dependent on a variety of environmental factors such as host architecture and operating system," he added. 

"While heap buffer overflows such as this are known to be exploitable, creating a reliable exploit is not only difficult, but incredibly time-intensive. The researchers believe that the most immediate and primary risks are those pertaining to the ease with which DoS and information leaks can be accomplished."

In its writeup, Tenable published a short proof of concept endpoint request that would lead to a crash, but didn't provide examples of how to reveal partial secrets or achieve RCE.

Cloud providers that depend on Fluent Bit are advised to upgrade to version 3.0.4, or at the very least limit access to the vulnerable endpoints (/api/v1/traces and /api/v1/trace). Disabling it also works.

"If you rely on cloud services that are known to make use of Fluent Bit, we recommend reaching out to your cloud provider to ensure that updates or mitigations are deployed in a timely manner," said Sebree.

"With regards to usage by major cloud providers, Tenable notified Microsoft, Amazon, and Google of this issue via their respective vulnerability disclosure mechanisms on May 15, 2024, so that they could begin their internal triage processes." ®