New Fluent Bit Flaws Expose Cloud To RCE And Stealthy...
Cybersecurity researchers have discovered five vulnerabilities in Fluent Bit, an open-source and lightweight telemetry agent, that could be chained to compromise and take over cloud infrastructures.
The security defects "allow attackers to bypass authentication, perform path traversal, achieve remote code execution, cause denial-of-service conditions, and manipulate tags," Oligo Security said in a report shared with The Hacker News.
Successful exploitation of the flaws could enable attackers to disrupt cloud services, manipulate data, and burrow deeper into cloud and Kubernetes infrastructure. The list of identified vulnerabilities is as follows -
"The amount of control enabled by this class of vulnerabilities could allow an attacker to breach deeper into a cloud environment to execute malicious code through Fluent Bit, while dictating which events are recorded, erasing or rewriting incriminating entries to hide their tracks after an attack, injecting fake telemetry, and injecting plausible fake events to mislead responders," researchers said.
The CERT Coordination Center (CERT/CC), in an independent advisory, said many of these vulnerabilities require an attacker to have network access to a Fluent Bit instance, adding they could be used for authentication bypass, remote code execution, service disruption, and tag manipulation.
Following responsible disclosure, the issues have been addressed in versions 4.1.1 and 4.0.12 released last month. Amazon Web Services (AWS), which also engaged in coordinated disclosure, has urged customers running Fluentbit to update to the latest version for optimal protection.
Given Fluent Bit's popularity within enterprise environments, the shortcomings have the potential to impair access to cloud services, allow data tampering, and seize control of the logging service itself.
Other recommended actions include avoiding use of dynamic tags for routing, locking down output paths and destinations to prevent tag-based path expansion or traversal, mounting /fluent-bit/etc/ and configuration files as read-only to block runtime tampering, and running the service as non-root users.
The development comes more than a year after Tenable detailed a flaw in Fluent Bit's built-in HTTP server (CVE-2024-4323 aka Linguistic Lumberjack) that could be exploited to achieve denial-of-service (DoS), information disclosure, or remote code execution.
