Fluent Bit, a widely used log-processing tool integral to cloud infrastructure, has been found to possess critical vulnerabilities that could permit full system takeovers. According to an analysis by Oligo Security in collaboration with Amazon Web Services (AWS), five severe flaws have been uncovered that potentially expose cloud environments to significant risks, including authentication bypass and arbitrary code execution.
Fluent Bit is implemented across various sectors, including banking and automotive industries, and is supported by major cloud providers like AWS, Google Cloud, and Microsoft Azure. The importance of this tool in various applications means that vulnerabilities could undermine the stability of the entire cloud ecosystem, as highlighted by Uri Katz from Oligo Security.
Overview of Vulnerabilities
-
Bypassing Authentication: The most critical flaw revolves around the Fluent Bit forward input plugin known as “in_forward.” This can be misconfigured to appear secure while leaving an authentication loophole—if "Security.Users" is enabled without a "Shared.key," the feature becomes ineffective, allowing attackers to send arbitrary logs.
-
Misrouting of Logs: Attackers may exploit issues with the plugin’s tagging mechanism. If they can guess the first character of a tag, they can reroute logs or bypass filters, facilitating further malicious activities.
-
Remote Code Execution: Oligo also identified additional vulnerabilities that allow for remote code execution (RCE) and path traversal exploits. The output plugin "out_file" is vulnerable, as user-controlled Tag values can lead to unauthorized file writes, potentially allowing attackers to inject malicious files.
-
Buffer Overflow Attacks: Another vulnerability exists in the Docker input plugin where overly long container names can exploit a buffer overflow, allowing attackers to crash the logging agent or execute unwanted code.
Mitigation Efforts
In response to these vulnerabilities, the Fluent Bit project has released patched versions v4.1.1 and v4.0.12 to address the security flaws. AWS has already secured its systems dependent on Fluent Bit and implemented the necessary updates to safeguard against these vulnerabilities.
For further details on these vulnerabilities, the full disclosure can be found in the Oligo Security blog.
Conclusion
The identification of these vulnerabilities underscores the need for heightened scrutiny and prompt action to secure widely deployed logging tools like Fluent Bit, especially given their crucial role in the cloud infrastructure.
