#VU18082 Insufficient logging in Beats


Published: 2019-03-27

Vulnerability identifier: #VU18082

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7613

CWE-ID: CWE-778

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Beats
Server applications / Other server solutions

Vendor: Elastic Stack

Description

The vulnerability allows a remote attacker disrupt logging functionality of the application.

The vulnerability exists due to insufficient sanitization of user-supplied input when writing events into log files within the Winlogbeat. A remote attacker with ability to supply specially crafted characters to the Elasticsearch application can inject certain characters into a log entry could prevent Winlogbeat from recording the event.

Successful exploitation of the vulnerability may allow attackers to hide their  malicious activity on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Beats: 5.6.0 - 6.6.1

External links
http://discuss.elastic.co/t/elastic-stack-6-6-2-and-5-6-16-security-update/173180

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Security restrictions bypass in Elastic beats