Kibana vulnerabilities could allow attackers to remotely execute arbitrary code

Kibana, a popular data visualization and exploration tool used with Elasticsearch, has identified two critical vulnerabilities affecting it.
The vulnerabilities, CVE-2024-37288 and CVE-2024-37285, allow attackers to execute arbitrary code by nullifying YAML serialization.
The flaws have been rated as High severity, highlighting the need for affected users to take immediate action.
CVE-2024-37288: Exploit via Amazon Bedrock Connector
The first vulnerability, CVE-2024-37288, affects Kibana version 8.15.0. It is caused by a sequential loss bug in Amazon Bedrock Connector, one of Elastic Security’s built-in AI tools.
When Kibana attempts to parse a YAML document containing a crafted payload, it may lead to arbitrary code execution.
Affected Users
This vulnerability is particularly relevant to users who have configured the Amazon Bedrock connector. Not all Kibana users are affected, but those who use this particular integration are at greater risk.
Arbitrary code execution means that potential attackers could take control of an affected system, causing data corruption, system crashes, or other malicious activity.
Remediate the Weakness
Elastic has released Kibana 8.15.1 to address this vulnerability. Users are advised to upgrade to this version to mitigate the risk.

A workaround for those who cannot upgrade immediately involves disabling the integration assistant by adding the following line to the kibana.yml configuration file:
xpack.integration_assistant.enabled: false
This measure helps mitigate the risk until a full upgrade is implemented. However, it is important to prioritize upgrading to the latest version to ensure comprehensive protection.
CVE-2024-37285: Privilege-dependent exploit
The second vulnerability, CVE-2024-37285, affects a wider range of Kibana versions from 8.10.0 to 8.15.0. Like the first issue, this vulnerability also relies on YAML serialization, but requires a more specific set of conditions to be exploited.
Exploitation Requirements
To successfully exploit CVE-2024-37285, an attacker must have a combination of special Elasticsearch index privileges and Kibana privileges. The required Elasticsearch indices include:

• .kibana_ingest* write access to system indices
• allow_restricted_indices flag set to true.
  In addition, attackers need one of the following Kibana privileges:
• All privilege on the Fleet section.
• Read or all privileges on the Integration section.
• Access to Fleet Configuration privileges via a Fleet Server service account token.
  These conditions mean that only users with certain configurations and privilege levels are vulnerable, but the potential impact is still severe.
  Recommended Actions
  As with the first vulnerability, it is recommended to upgrade to Kibana 8.15.1. This update addresses a deserialization issue and improves overall security.
  Given the complexity of the privileges required for exploitation, organizations should review and harden their privilege configurations to minimize the impact.
  Severity and Impact Level of the Vulnerabilities
  Both vulnerabilities have been rated Critical, reflecting their potential to cause significant damage. CVE-2024-37288 has a CVSS v3.1 score of 9.9, while CVE-2024-37285 has a score of 9.1.
  These scores indicate a high likelihood of exploitation and severe impact, including impact to confidentiality, integrity, and availability. Organizations running vulnerable versions of Kibana should act quickly to implement the recommended updates and mitigations.
  Arbitrary code execution means that potential attackers could execute malicious code that could lead to unauthorized access, data theft, or service disruption.
  The discovery of these critical vulnerabilities in Kibana highlights the importance of keeping your software up to date and regularly reviewing your security configurations.
  While Elastic provides solutions and mitigations, users are ultimately responsible for the security of their own systems. In an era of increasingly sophisticated cyber threats, it is critical to be aware of vulnerabilities and take quick security measures.
  Organizations should also consider implementing additional security measures, such as network segmentation and intrusion detection systems, to further protect information systems and information assets.