Kibana - Remote Code Execution (CVE-2019-7609)

Kibana is affected by a Remote Code Execution vulnerability. Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. The root cause of this vulnerability is the parataxis of the prototype pollution vulnerability and the existence of a public function that can spawn a new node process. This allows attackers to create prototype pollution gadgets, which can be very dangerous on Node.js applications, as they have their back-end written in JavaScript.

Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.

The risk exists that a remote unauthenticated attacker can fully compromise the Kibana server to steal confidential information, install ransomware or create a reverse shell.

Upgrade Kibana to the latest version or version 6.6.1 or 5.6.15. Users unable to upgrade can disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7609
https://www.tenable.com/cve/CVE-2019-7609
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077