Grafana CVE-2021-43798 Vulnerability Actively Exploited in the Wild

Grafana recently released an advisory and patch for a critical path traversal vulnerability which leads to an unauthenticated Local File inclusion. This vulnerability affects Grafana versions v8.0.0-beta1 through v8.3.0, however, the Grafana Cloud remains unaffected.
Updated on
April 19, 2023
Published on
December 9, 2021
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category Vulnerability Intelligence
Vulnerability Class Local File Inclusion(Unauthenticated)
CVE ID CVE-2021-43798
CVSS:3.0 Score 7.5
TLP GREEN
Reference *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol
 

Executive Summary

  • Grafana recently released an advisory and patch for a critical path traversal vulnerability which leads to an unauthenticated Local File inclusion.
  • Grafana is a multi-platform open-source analytics and interactive visualization web application.
  • This vulnerability affects Grafana versions v8.0.0-beta1 through v8.3.0, however, the Grafana Cloud remains unaffected.
  • Threat actors can leverage this flaw by crafting an HTTP request to read sensitive files from servers, thus leading to sensitive information disclosure.
[caption id="attachment_18519" align="aligncenter" width="1074"]Threat actor discussing CVE-2021-43798 on a cybercrime forum Threat actor discussing CVE-2021-43798 on a cybercrime forum[/caption]  

Analysis

  • Grafana is an open-source solution for generating metrics and data about applications and then creating dashboards that provide insight into user behavior, application behavior, the frequency of errors occurring in production or a pre-production environment, the type of errors occurring, and the contextual scenarios by providing relative data, among other things.
  • Grafana has become a popular solution to analyze and generate data. According to Censys, Grafana is currently running on 114,575 instances. [caption id="attachment_18520" align="aligncenter" width="1365"]Search results from Censys Search results from Censys[/caption]  
  • To exploit this vulnerability, an attacker simply needs to send a GET request to the targeted instance. For example: POC - {host}/public/plugins/{pluginID}/../../../../../../../../etc/passwd
In the above example, the “pluginID” can be a default plugin that comes pre-installed with Grafana, such as:
  • alertlist
  • annolist
  • barchart
  • bargauge
  • candlestick
  • cloudwatch
  • dashlist
  • Elasticsearch 
[caption id="attachment_18521" align="aligncenter" width="910"]Screenshot of the information extracted by the use of GET request Screenshot of the information extracted by the use of GET request[/caption]  

Information from OSINT

Ever since this vulnerability was made public, there has been continuous scanning for vulnerable targets. Because of the ease of exploitation, threat actors have begun exploiting this vulnerability on a large scale, in the wild. Multiple POC scripts are also available for this vulnerability, on various open-source platforms such as GitHub. [caption id="attachment_18522" align="aligncenter" width="573"]POC script available for free on Github POC script available for free on Github[/caption]  

Vulnerability Analysis

The vulnerability arises as a result of an interesting scenario in which the developer either misunderstood or did not thoroughly read the documentation of the functions being used, which is available at: pkg/api/plugins.go [caption id="attachment_18523" align="aligncenter" width="1257"]The functions being used by the developer The functions being used by the developer[/caption]   In this scenario, the developer made this error by misinterpreting the functionality of a built-in Golang function called Clean [caption id="attachment_18524" align="aligncenter" width="1169"]Screenshot of the documentation of the Golang Clean function Screenshot of the documentation of the Golang Clean function[/caption]   As the documentation mentions, it doesn't strip ".." elements at the beginning of a non-rooted path; i.e. if the path doesn't start with "/", any leading "../" sequences won't be removed. As highlighted in the above screenshots, the developer mentions in the comment to ignore the alert flagged by Gosec tool which is a Golang Security Checker. This mistake led to a path traversal vulnerability.  

Impact & Mitigation

Impact Mitigation
  • An LFI (Local File Inclusion) vulnerability can lead to sensitive information disclosure. 
  • A threat actor can potentially read SSH keys from users and get a secure shell on the server, which can lead to complete server takeover and ransomware attacks.
  • Since it is an unauthenticated vulnerability, with a lot of publicly available exploitation scripts, it can be easily exploited even by actors with limited know-how and resources. 
  • Update your Grafana software to the latest patched versions:
    • 8.3.1
    • 8.2.7
    • 8.1.8
    • 8.0.7
 

References

  1. TomNomNom: Technical Analysis of the Vulnerability 
  2. Grafana Security Advisory

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations