CVE-2024-37285: Elastic Kibana RCE Vulnerability

CVE-2024-37285 Overview

CVE-2024-37285 is a critical insecure deserialization vulnerability affecting Elastic Kibana. The flaw exists in how Kibana handles YAML document parsing, allowing attackers to craft malicious payloads that lead to arbitrary code execution when processed by the application. This vulnerability requires specific privilege combinations in both Elasticsearch and Kibana to exploit successfully, but can result in complete system compromise when these conditions are met.

Critical Impact
Successful exploitation allows remote attackers with elevated privileges to execute arbitrary code on the Kibana server, potentially compromising the entire Elastic Stack deployment and any connected data sources.

Affected Products

Elastic Kibana (versions prior to 8.15.1)
Elastic Stack deployments using Fleet or Integrations features
Kibana instances with Fleet Server service account configurations

Discovery Timeline

2024-11-14 - CVE-2024-37285 published to NVD
2025-10-01 - Last updated in NVD database

Technical Details for CVE-2024-37285

Vulnerability Analysis

This insecure deserialization vulnerability (CWE-502) occurs when Kibana's YAML parsing functionality processes untrusted input without proper validation. The deserialization of YAML documents containing specially crafted payloads allows attackers to instantiate arbitrary objects and execute code within the context of the Kibana server process.

The attack requires a combination of specific Elasticsearch and Kibana privileges, making it a post-authentication vulnerability that targets users with elevated access. While this reduces the attack surface, privileged users or compromised accounts with the required permissions can leverage this flaw for complete server takeover.

Root Cause

The root cause lies in Kibana's YAML parsing implementation, which does not adequately sanitize or restrict the types of objects that can be instantiated during deserialization. When YAML documents are parsed, the deserializer processes type tags and constructor calls embedded in the document, enabling attackers to trigger arbitrary code execution through crafted payloads.

Attack Vector

Exploitation requires a malicious user to have a specific combination of Elasticsearch indices privileges and Kibana privileges:

Required Elasticsearch Indices Permissions:

Write privilege on the system indices .kibana_ingest*
The allow_restricted_indices flag must be set to true

Required Kibana Privileges (any of the following):

Under Fleet: the "All" privilege is granted
Under Integration: the "Read" or "All" privilege is granted
Access to the fleet-setup privilege through Fleet Server's service account token

With these privileges, an attacker can inject a malicious YAML document into the Kibana ingest pipeline, which is then processed by the vulnerable YAML parser, triggering code execution on the server.

Detection Methods for CVE-2024-37285

Indicators of Compromise

Unusual write operations to .kibana_ingest* indices from non-administrative accounts
Unexpected YAML documents containing serialization markers or type tags in Fleet/Integration configurations
Anomalous process spawning from the Kibana server process
Unauthorized modifications to Fleet or Integration settings

Detection Strategies

Monitor Elasticsearch audit logs for write operations to .kibana_ingest* indices with allow_restricted_indices enabled
Implement file integrity monitoring on Kibana configuration directories
Enable and review Kibana audit logging for Fleet and Integration management activities
Deploy network monitoring to detect unusual outbound connections from Kibana servers

Monitoring Recommendations

Configure alerting on privilege escalation attempts within the Elastic Stack
Establish baseline behavior for Fleet Server service account activities
Monitor for unusual authentication patterns involving accounts with Fleet or Integration privileges
Implement SIEM rules to correlate Elasticsearch index writes with subsequent Kibana process anomalies

How to Mitigate CVE-2024-37285

Immediate Actions Required

Upgrade Kibana to version 8.15.1 or later immediately
Audit all user accounts with write access to .kibana_ingest* indices and revoke unnecessary privileges
Review and restrict the allow_restricted_indices flag usage across all roles
Audit Fleet and Integration privilege assignments and apply principle of least privilege

Patch Information

Elastic has released Kibana version 8.15.1 which addresses this vulnerability. The security update is documented in Elastic Security Advisory ESA-2024-27/ESA-2024-28. Organizations should prioritize upgrading to this patched version to eliminate the deserialization vulnerability.

Workarounds

If immediate patching is not possible, restrict write access to .kibana_ingest* indices by removing the privilege from all non-essential roles
Disable or limit access to Fleet and Integration features for accounts that do not require them
Implement network segmentation to isolate Kibana servers from untrusted network segments
Deploy a web application firewall (WAF) with rules to detect malicious YAML payloads
Consider temporarily disabling Fleet Server service account tokens until patching is complete

bash

# Example: Audit roles with write access to .kibana_ingest* indices
# Review output and revoke unnecessary privileges
curl -X GET "localhost:9200/_security/role" -H 'Content-Type: application/json' | \
  jq '.[] | select(.indices[]?.names[]? | contains(".kibana_ingest")) | select(.indices[]?.privileges[]? == "write")'