Elastic Packetbeat Buffer Overflow Vulnerability Allowing Application Crash or Resource Exhaustion

A buffer overflow vulnerability has been identified in Elastic Packetbeat versions 7.x, 8.x (8.0.0 through 8.19.8), and 9.x (9.0.0 through 9.1.8 and 9.2.0 through 9.2.2). This vulnerability arises from improper bounds checking, which can be exploited by a remote, unauthenticated attacker. The attacker can send a single crafted UDP packet with an invalid fragment sequence number, leading to a reliable application crash or significant resource exhaustion. This issue affects users who have enabled the memcached collection in the Network Packet Capture integration while using Elastic Agent.

Impact

Exploitation of this vulnerability causes a buffer overflow, which can be used to crash the Packetbeat application or to exhaust system resources significantly.

Remediation

Users can upgrade to Packetbeat versions 8.19.9, 9.1.9, or 9.2.3 to address this vulnerability. For those unable to upgrade, it is possible to disable the memcached collection in the Network Packet Capture integration if Elastic Agent is being used, while allowing other network collections to continue.