Researchers with Tenable found a critical vulnerability in software used by major tech companies like Amazon and Walmart.
They found a bug within the popular open-source data collection and processing tool, Fluent Bit. As one of the leading cloud services, hundreds of companies and entities relied on Fluent Bit, leaving all of them exposed to the vulnerability dubbed CVE-2024-4323.
The flaw was a memory corruption bug in Fluent Bit’s built-in HTTPS server. Versions 2.0.7. through 3.0.3 were affected. T
Threat actors could exploit the bug to perform denial of service attacks (DDoS attacks) on large companies that use them. The memory corruption also lead to data leaks, though the exact scope of the data obtained is unknown.
They could also use it to give themselves remote access to Fluent Bit’s servers, however manipulating the exploit to accomplish this was significantly more difficult than it was to trigger a DDoS attack. Doing so would also require significantly more time, better tools, and a larger investment overall than it might be worth.
This leads researchers to believe the flaw would be used for DDoS attacks and data collection, rather than remote connection attacks.
“Access to these (Fluent Bit’s) endpoints alone could result in cross-tenant information leakage, but after testing Fluent Bit in a separate, isolated environment, the researchers happened upon the memory corruption issue detailed here,” researchers said in a blog post.
Researchers tested the bug to see what data they could observe from companies.
“While this is generally unlikely to reveal anything other than previous metrics requests, the researchers were able to occasionally retrieve partial secrets during their testing, indicating that this issue could potentially leak sensitive information,” they said.
Fortunately, after reporting the bug, Fluent Bit was able to successfully patch the problem.
“This issue was ultimately fixed by properly validating the data types of values in the “inputs” array sent to the “traces” endpoint,” the blog reads.