Workaround for Kibana Reporting Vulnerability ESA-2018-17 (CVE-2018-17245)

security

(Robin Schneider) #1

I would like to propose a workaround to mitigate CVE-2018-17245 which:

  • Does not require a Kibana (and in turn also Elasticsearch) upgrade.
  • Does not require to disable reporting altogether using xpack.reporting.enabled.

It works by blocking outgoing connections from the Kibana user to the Internet on the server where Kibana is running. Example iptables script:

iptables -F OUTPUT
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT ! -d 10.0.0.0/8 -m owner --uid-owner kibana -m limit --limit 5/min -j LOG --log-prefix "Kibana security workaround: " --log-level 7
iptables -A OUTPUT ! -d 10.0.0.0/8 -m owner --uid-owner kibana -j REJECT

ip6tables -F OUTPUT
ip6tables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT ! -d fd95:9d43:c67b:3d75::/64 -m owner --uid-owner kibana -m limit --limit 5/min -j LOG --log-prefix "Kibana security workaround: " --log-level 7
ip6tables -A OUTPUT ! -d fd95:9d43:c67b:3d75::/64 -m owner --uid-owner kibana -j REJECT

Feel free to give feedback on this.

Ref: https://www.elastic.co/blog/elastic-support-alert-kibana-reporting-vulnerability
Ref: https://github.com/elastic/kibana/pull/24177


(Jen Huang) #2

Hi Robin, thank you for suggesting this workaround. Can you open this as a Github issue, perhaps with [Discuss] in the title, so our security team can take a look and provide feedback?


(Robin Schneider) #3

Thanks! Done: https://github.com/elastic/kibana/issues/25579
I improved the example by ensuring that IPv6 is also covered.