Critical Bug Allows Data Leaks in All Major Cloud Platforms

Researchers have discovered a severe memory corruption vulnerability inside of a cloud logging utility used across major cloud platforms.

The service, Fluent Bit, is an open source tool for collecting, processing, and forwarding logs and other types of application data. It's one of the more popular pieces of software out there, with more than three billion downloads as of 2022, and a new 10 million or so deployments with each passing day. It's used by major organizations such as VMware, Cisco, Adobe, Walmart, and LinkedIn, and nearly every major cloud service provider, including AWS, Microsoft, and Google Cloud.

The issue with Fluent Bit, dubbed "Linguistic Lumberjack" in a new report from Tenable, lies in how the service's embedded HTTP server parses trace requests. Manipulated in one way or another, it can cause denial of service (DoS), data leakage, or remote code execution (RCE) in a cloud environment.

"Everyone gets hyped about a vulnerability in Azure, AWS, GCP, but nobody's really looking at the technologies that make up all of these major cloud services – common, core pieces of software that now affect every major cloud provider," says Jimi Sebree, senior staff research engineer with Tenable. "You need to be looking for application security bombs and like components of the services, not just the services themselves."

The Linguistic Lumberjack Effect

Tenable researchers initially were looking into an entirely separate security issue in an undisclosed cloud service when they realized something unexpected was going on. From where they were sitting, it seemed they were able to access a wide range of the cloud service provider's (CSP) own internal metrics and logging endpoints. Among these were instances of Fluent Bit.

This cross-tenant data leakage came from endpoints in Fluent Bit's monitoring application programming interface (API), designed to allow users to query and monitor its internal data. After some testing, though, a bit of leaky data turned out to be only the introduction to a deeper problem.

For a particular endpoint – /api/v1/traces – the types of data passed as input names were not properly validated prior to being parsed by the program. So by passing non-string values, an attacker could cause all kinds of memory corruption issues in Fluent Bit. The researchers tried out a variety of positive and negative integer values, in particular, to successfully cause errors for which the service would crash and leak potentially sensitive data.

Attackers could also potentially use this same trick to gain RCE capabilities in a targeted environment. However, Tenable noted, developing such an exploit would require a good deal of effort, being customized to the target's particular operating system and architecture.

What to Do About It

The bug exists in Fluent Bit versions 2.0.7 through 3.0.3. It's being tracked under CVE-2024-4323, and various sites have assigned it "critical" CVSS scores of over 9.5 out of 10. After it was reported on April 30, Fluent Bit's maintainers updated the service to properly validate data types in that problematic endpoint's input field. The fix was applied to the project's main branch on GitHub on May 15.

Organizations with Fluent Bit deployed in their own infrastructure and environments are advised to update as soon as possible. Alternatively, Tenable suggests, administrators can review any configurations relevant to Fluent Bit's monitoring API to ensure that only authorized users and services can query it – or even no users or services at all.