Critical bug in Fluent Bit impacts all major cloud providers

Researchers have sounded the alarm on a critical bug in Fluent Bit, a logging component widely used by top-tier companies and the three major cloud providers.

The flaw, identified as CVE-2024-4323 and dubbed "Linguistic Lumberjack" by experts at Tenable, can cause denial of service (DoS), information leaks, and under certain conditions, remote code execution (RCE).

Fluent Bit, an open-source logging tool with over 13 million Docker downloads, is used by major corporations like Cisco, Dell, Walmart, Lyft, LinkedIn, and the leading cloud service providers (CSPs).

The vulnerability affects Fluent Bit versions 2.0.7 through 3.0.3. Researchers stumbled upon it while investigating another, undisclosed cloud service vulnerability. They discovered that passing non-string values into Fluent Bit's monitoring API—used for gathering data like uptime and plugin metrics—caused various memory corruption issues.

Here are some examples of how Linguistic Lumberjack manifests:

• Sending large integer values or negative values can crash the system.

• Negative values between 1 and 16 can overwrite adjacent memory on the heap, leading to crashes.

• Extremely small integers can expose adjacent memory.

• Specifically, the value -17 results in a crash.

• Smaller and more targeted integers can cause various stack and memory corruption problems.

Tenable's researchers were able to reliably trigger DoS attacks and access adjacent memory, potentially exposing sensitive information. However, Jimi Sebree, a senior staff research engineer at Tenable, noted that in most cases, it would only reveal previous metrics requests.

As for the possibility of remote code execution, Sebree explained that exploiting this would depend on several factors, including the host architecture and operating system. While heap buffer overflows can be exploited, creating a reliable exploit is both challenging and time-consuming. Thus, the most immediate concerns are the ease with which DoS and information leaks can be executed.

Tenable's report included a proof-of-concept endpoint request that could cause a crash but didn't show how to expose partial secrets or achieve RCE.

Cloud providers using Fluent Bit are advised to upgrade to version 3.0.4 or at least restrict access to the vulnerable endpoints (/api/v1/traces and /api/v1/trace). Disabling these endpoints is also an effective measure.

Sebree recommended that users of cloud services depending on Fluent Bit should contact their providers to ensure updates or mitigations are promptly applied. Tenable informed Microsoft, Amazon, and Google about the issue on May 15, 2024, to help them start their internal triage processes.

Want to keep ahead of vulnerabilities like Linguistic Lumberjack?

Learn about penetration testing, digital forensics, malware analysis, and security fundamentals through Pluralsight's cyber security courses. With Pluralsight, you can benchmark and prove your knowledge, keep up with emerging trends and build in-demand skills in areas like cloud, security, DevOps, machine learning, and infrastructure.