Description
Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint.
Product(s):
- Elastic Kibana 4.1.0
- Elastic Kibana 4.1.1
- Elastic Kibana 4.2.0
- Elastic Kibana 4.2.1
- Elastic Kibana 4.3.0
- Elastic Kibana 4.3.1
- Elastic Kibana 4.4.0
- Elastic Kibana 4.4.1
- Elastic Kibana 4.4.2
- Elastic Kibana 4.5.0
- Elastic Kibana 4.6.6
- Elastic Kibana 5.0.0
- Elastic Kibana 5.0.1
- Elastic Kibana 5.0.2
- Elastic Kibana 5.1.1
- Elastic Kibana 5.1.2
- Elastic Kibana 5.2.0
- Elastic Kibana 5.2.1
- Elastic Kibana 5.2.2
- Elastic Kibana 5.3.0
- Elastic Kibana 5.3.1
- Elastic Kibana 5.3.2
- Elastic Kibana 5.4.0
- Elastic Kibana 5.5.1
- Elastic Kibana 5.5.2
- Elastic Kibana 5.5.3
- Elastic Kibana 5.6.0
- Elastic Kibana 5.6.10
- Elastic Kibana 5.6.11
- Elastic Kibana 5.6.12
- Elastic Kibana 5.6.13
- Elastic Kibana 5.6.14
- Elastic Kibana 5.6.15
- Elastic Kibana 5.6.16
- Elastic Kibana 5.6.1
- Elastic Kibana 5.6.2
- Elastic Kibana 5.6.3
- Elastic Kibana 5.6.4
- Elastic Kibana 5.6.5
- Elastic Kibana 5.6.6
- Elastic Kibana 5.6.7
- Elastic Kibana 5.6.8
- Elastic Kibana 5.6.9
- Elastic Kibana 6.0.0
- Elastic Kibana 6.0.1
- Elastic Kibana 6.1.0
- Elastic Kibana 6.1.1
- Elastic Kibana 6.1.2
- Elastic Kibana 6.1.3
- Elastic Kibana 6.1.4
- ELASTIC > kibana 6.*.*
- Elastic Kibana 6.2.0
- Elastic Kibana 6.2.1
- Elastic Kibana 6.2.2
- Elastic Kibana 6.2.3
- Elastic Kibana 6.2.4
- Elastic Kibana 6.3.0
- Elastic Kibana 6.3.1
- Elastic Kibana 6.3.2
- Elastic Kibana 6.4.0
- Elastic Kibana 6.4.1
- Elastic Kibana 6.4.2
- Elastic Kibana 6.4.3
- Elastic Kibana 6.5.0
- Elastic Kibana 6.5.1
- Elastic Kibana 6.5.2
- Elastic Kibana 6.5.3
- Elastic Kibana 6.5.4
- Elastic Kibana 6.6.0
- Elastic Kibana 6.6.1
- Elastic Kibana 6.6.2
- Elastic Kibana 6.7.0
- Elastic Kibana 6.7.1
- Elastic Kibana 6.7.2
- Elastic Kibana 6.8.0
- Elastic Kibana 6.8.10
- Elastic Kibana 6.8.11
- Elastic Kibana 6.8.15
- Elastic Kibana 6.8.16
- Elastic Kibana 6.8.1
- Elastic Kibana 6.8.2
- Elastic Kibana 6.8.3
- Elastic Kibana 6.8.4
- Elastic Kibana 6.8.5
- Elastic Kibana 6.8.6
- Elastic Kibana 6.8.7
- Elastic Kibana 6.8.8
- Elastic Kibana 6.8.9
- ELASTIC > kibana 7.*.*
- Elastic Kibana 7.0.1
- +124 additional
Question to Ask Vendors:
- Have you updated all instances of Kibana to version 8.12.1 or later to mitigate the risk of CVE-2024-43706, which allows unauthorized access to synthetic monitoring data and actions?
- Can you confirm if you have disabled the Synthetic Monitoring feature (xpack.uptime.enabled: false in kibana.yml) in all instances of Kibana where it is not in use, as recommended in the advisory?
- Have you implemented network restrictions to limit Kibana HTTP access to trusted IPs or via secure proxy, as a mitigation measure against the improper authorization flaw in Kibana's Synthetic Monitoring feature?
- Have you reviewed and tightened your RBAC definitions to ensure only intended roles can access Synthetic Monitoring, and have you set all synthetics-* indices to read-only via dynamic index blocks to prevent unauthorized writes?
Recommended Actions:
- Alert on any requests to /api/synthetics/monitors by users lacking the synthetics privilege and on any write attempts to synthetics-* indices by low-privilege accounts.
- Elastic Cloud Mitigation: Apply a read-only block on synthetics-* indices to prevent unauthorized writes.
- Harden Access Controls: Review and tighten RBAC definitions to ensure only intended roles can access Synthetic Monitoring.
- Network Restrictions: Limit Kibana HTTP access to trusted IPs or via secure proxy.
- Self-Hosted Mitigations: Disable Synthetic Monitoring if unused:(xpack.uptime.enabled: false) . Lock down data: set all synthetics-* indices to read-only via dynamic index blocks.
- Upgrade Kibana: Immediately update all instances to 8.12.1 or later.
References:
- https://capec.mitre.org/data/definitions/1.html
- https://capec.mitre.org/data/definitions/104.html
- https://capec.mitre.org/data/definitions/127.html
- https://capec.mitre.org/data/definitions/13.html
- https://capec.mitre.org/data/definitions/17.html
- https://capec.mitre.org/data/definitions/39.html
- https://capec.mitre.org/data/definitions/402.html
- https://capec.mitre.org/data/definitions/45.html
- https://capec.mitre.org/data/definitions/5.html
- https://capec.mitre.org/data/definitions/51.html
- https://capec.mitre.org/data/definitions/59.html
- https://capec.mitre.org/data/definitions/60.html
- https://capec.mitre.org/data/definitions/647.html
- https://capec.mitre.org/data/definitions/668.html
- https://capec.mitre.org/data/definitions/76.html
- https://capec.mitre.org/data/definitions/77.html
- https://capec.mitre.org/data/definitions/87.html
- https://discuss.elastic.co/t/kibana-8-12-1-security-update-esa-2024-21/379064
- https://nvd.nist.gov/vuln/detail/CVE-2024-43706
- https://securityonline.info/high-severity-flaw-in-kibana-unauthorized-access-possible-in-synthetic-monitoring/