Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) issue in Kibana. It allows authenticated users who have connector management privileges to bypass the connection allowlist that the operator has configured. By setting up a Webhook connector with a specially crafted target, an attacker can make Kibana send outbound requests to destinations that should have been blocked by egress restrictions.

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability is that an attacker with certain privileges can cause Kibana to send requests to unauthorized external or internal destinations. This can lead to unauthorized data exposure or interaction with internal systems that were meant to be protected by egress controls. The vulnerability has a high confidentiality impact, meaning sensitive information could be disclosed, but it does not affect integrity or availability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated users to bypass egress restrictions and send outbound requests to unauthorized destinations, potentially exposing confidential data.

This unauthorized outbound network access could lead to confidentiality breaches, which may impact compliance with data protection regulations such as GDPR and HIPAA that require safeguarding sensitive information.

However, the provided information does not explicitly detail the direct effects on compliance with these standards.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your Kibana deployment is running a vulnerable version (9.0.0 through 9.2.7 or 9.3.0 through 9.3.1) and if users with connector management privileges have configured Webhook connectors that bypass egress restrictions.

You can check the Kibana version by running the following command on the server hosting Kibana:

• curl -X GET "http://localhost:5601/api/status" -H "kbn-xsrf: true" | grep version

To detect suspicious outbound requests that bypass the allowlist, monitor network traffic for unexpected outbound connections from the Kibana server, especially those that should be blocked by the `xpack.actions.allowedHosts` setting.

You can use network monitoring tools or commands such as:

• tcpdump -i <interface> host <kibana-server-ip> and dst not in <allowed-hosts>
• netstat -anp | grep kibana

Additionally, review the configuration of Webhook connectors in Kibana to identify any crafted targets that could be used to bypass egress restrictions.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Kibana to a patched version where this vulnerability is fixed.

• Upgrade to Kibana version 9.2.8 or later, or 9.3.2 or later.

If upgrading immediately is not possible, restrict connector management privileges to trusted users only and review or disable Webhook connectors that could be exploited.

Also, review and tighten the `xpack.actions.allowedHosts` setting to ensure outbound connections are properly restricted.

Useful 0 Not Useful 0