File Inclusion bug leading to remote code execution in Kibana ElasticSearch
CVE-2018-17246
Sources
- https://www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it/
- https://www.bleepingcomputer.com/news/security/file-inclusion-bug-in-kibana-console-for-elasticsearch-gets-exploit-code/
Risks
Successful exploitation of the vulnerability can result in a remote code execution on the server with the privilege used by the Kibana process.
Description
Nethanel Coppenhagen of CyberArk Labs discovered Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
A proof of concept has been published on Twitter on 17/12/2018. The existence of a public PoC implementation lends urgency to affected system owners patching or remediating their vulnerable systems.
Recommended Actions
CERT.be recommends users to always keep their systems up to date.
Users should upgrade to Elastic Stack version 6.4.3 or 5.6.13
Users unable to upgrade can disable the Kibana Console plugin. The Console plugin can be disabled by setting “console.enabled: false” in the kibana.yml file.
Documentation about the upgrade process can be seen on Elastic website: https://www.elastic.co/products