CVE-2024-37285 Overview
CVE-2024-37285 is a critical insecure deserialization vulnerability affecting Elastic Kibana. The flaw exists in how Kibana handles YAML document parsing, allowing attackers to craft malicious payloads that lead to arbitrary code execution when processed by the application. This vulnerability requires specific privilege combinations in both Elasticsearch and Kibana to exploit successfully, but can result in complete system compromise when these conditions are met.
Critical Impact
Successful exploitation allows remote attackers with elevated privileges to execute arbitrary code on the Kibana server, potentially compromising the entire Elastic Stack deployment and any connected data sources.
Affected Products
- Elastic Kibana (versions prior to 8.15.1)
- Elastic Stack deployments using Fleet or Integrations features
- Kibana instances with Fleet Server service account configurations
Discovery Timeline
- 2024-11-14 - CVE-2024-37285 published to NVD
- 2025-10-01 - Last updated in NVD database
Technical Details for CVE-2024-37285
Vulnerability Analysis
This insecure deserialization vulnerability (CWE-502) occurs when Kibana's YAML parsing functionality processes untrusted input without proper validation. The deserialization of YAML documents containing specially crafted payloads allows attackers to instantiate arbitrary objects and execute code within the context of the Kibana server process.
The attack requires a combination of specific Elasticsearch and Kibana privileges, making it a post-authentication vulnerability that targets users with elevated access. While this reduces the attack surface, privileged users or compromised accounts with the required permissions can leverage this flaw for complete server takeover.
Root Cause
The root cause lies in Kibana's YAML parsing implementation, which does not adequately sanitize or restrict the types of objects that can be instantiated during deserialization. When YAML documents are parsed, the deserializer processes type tags and constructor calls embedded in the document, enabling attackers to trigger arbitrary code execution through crafted payloads.
Attack Vector
Exploitation requires a malicious user to have a specific combination of Elasticsearch indices privileges and Kibana privileges:
Required Elasticsearch Indices Permissions:
- Write privilege on the system indices .kibana_ingest*
- The allow_restricted_indices flag must be set to true
Required Kibana Privileges (any of the following):
- Under Fleet: the "All" privilege is granted
- Under Integration: the "Read" or "All" privilege is granted
- Access to the fleet-setup privilege through Fleet Server's service account token
With these privileges, an attacker can inject a malicious YAML document into the Kibana ingest pipeline, which is then processed by the vulnerable YAML parser, triggering code execution on the server.
Detection Methods for CVE-2024-37285
Indicators of Compromise
- Unusual write operations to .kibana_ingest* indices from non-administrative accounts
- Unexpected YAML documents containing serialization markers or type tags in Fleet/Integration configurations
- Anomalous process spawning from the Kibana server process
- Unauthorized modifications to Fleet or Integration settings
Detection Strategies
- Monitor Elasticsearch audit logs for write operations to .kibana_ingest* indices with allow_restricted_indices enabled
- Implement file integrity monitoring on Kibana configuration directories
- Enable and review Kibana audit logging for Fleet and Integration management activities
- Deploy network monitoring to detect unusual outbound connections from Kibana servers
Monitoring Recommendations
- Configure alerting on privilege escalation attempts within the Elastic Stack
- Establish baseline behavior for Fleet Server service account activities
- Monitor for unusual authentication patterns involving accounts with Fleet or Integration privileges
- Implement SIEM rules to correlate Elasticsearch index writes with subsequent Kibana process anomalies
How to Mitigate CVE-2024-37285
Immediate Actions Required
- Upgrade Kibana to version 8.15.1 or later immediately
- Audit all user accounts with write access to .kibana_ingest* indices and revoke unnecessary privileges
- Review and restrict the allow_restricted_indices flag usage across all roles
- Audit Fleet and Integration privilege assignments and apply principle of least privilege
Patch Information
Elastic has released Kibana version 8.15.1 which addresses this vulnerability. The security update is documented in Elastic Security Advisory ESA-2024-27/ESA-2024-28. Organizations should prioritize upgrading to this patched version to eliminate the deserialization vulnerability.
Workarounds
- If immediate patching is not possible, restrict write access to .kibana_ingest* indices by removing the privilege from all non-essential roles
- Disable or limit access to Fleet and Integration features for accounts that do not require them
- Implement network segmentation to isolate Kibana servers from untrusted network segments
- Deploy a web application firewall (WAF) with rules to detect malicious YAML payloads
- Consider temporarily disabling Fleet Server service account tokens until patching is complete
# Example: Audit roles with write access to .kibana_ingest* indices
# Review output and revoke unnecessary privileges
curl -X GET "localhost:9200/_security/role" -H 'Content-Type: application/json' | \
jq '.[] | select(.indices[]?.names[]? | contains(".kibana_ingest")) | select(.indices[]?.privileges[]? == "write")'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
