Category |
Vulnerability Intelligence |
Vulnerability Class |
Local File Inclusion(Unauthenticated) |
CVE ID |
CVE-2021-43798 |
CVSS:3.0 Score |
7.5 |
TLP |
GREEN |
Reference |
*https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability
#https://en.wikipedia.org/wiki/Traffic_Light_Protocol |
Executive Summary
- Grafana recently released an advisory and patch for a critical path traversal vulnerability which leads to an unauthenticated Local File inclusion.
- Grafana is a multi-platform open-source analytics and interactive visualization web application.
- This vulnerability affects Grafana versions v8.0.0-beta1 through v8.3.0, however, the Grafana Cloud remains unaffected.
- Threat actors can leverage this flaw by crafting an HTTP request to read sensitive files from servers, thus leading to sensitive information disclosure.
[caption id="attachment_18519" align="aligncenter" width="1074"]
Threat actor discussing CVE-2021-43798 on a cybercrime forum[/caption]
Analysis
- Grafana is an open-source solution for generating metrics and data about applications and then creating dashboards that provide insight into user behavior, application behavior, the frequency of errors occurring in production or a pre-production environment, the type of errors occurring, and the contextual scenarios by providing relative data, among other things.
- Grafana has become a popular solution to analyze and generate data. According to Censys, Grafana is currently running on 114,575 instances.
[caption id="attachment_18520" align="aligncenter" width="1365"] Search results from Censys[/caption]
- To exploit this vulnerability, an attacker simply needs to send a GET request to the targeted instance. For example:
POC - {host}/public/plugins/{pluginID}/../../../../../../../../etc/passwd
In the above example, the “pluginID” can be a default plugin that comes pre-installed with Grafana, such as:
- alertlist
- annolist
- barchart
- bargauge
- candlestick
- cloudwatch
- dashlist
- Elasticsearch
[caption id="attachment_18521" align="aligncenter" width="910"]
Screenshot of the information extracted by the use of GET request[/caption]
Information from OSINT
Ever since this vulnerability was made public, there has been continuous scanning for vulnerable targets. Because of the ease of exploitation, threat actors have begun exploiting this vulnerability on a large scale, in the wild. Multiple POC scripts are also available for this vulnerability, on various open-source platforms such as GitHub.
[caption id="attachment_18522" align="aligncenter" width="573"]
POC script available for free on Github[/caption]
Vulnerability Analysis
The vulnerability arises as a result of an interesting scenario in which the developer either misunderstood or did not thoroughly read the documentation of the functions being used, which is available at: pkg/api/plugins.go
[caption id="attachment_18523" align="aligncenter" width="1257"]
The functions being used by the developer[/caption]
In this scenario, the developer made this error by misinterpreting the functionality of a built-in Golang function called Clean.
[caption id="attachment_18524" align="aligncenter" width="1169"]
Screenshot of the documentation of the Golang Clean function[/caption]
As the documentation mentions, it doesn't strip ".." elements at the beginning of a non-rooted path; i.e. if the path doesn't start with "/", any leading "../" sequences won't be removed. As highlighted in the above screenshots, the developer mentions in the comment to ignore the alert flagged by Gosec tool which is a Golang Security Checker. This mistake led to a path traversal vulnerability.
Impact & Mitigation
Impact |
Mitigation |
- An LFI (Local File Inclusion) vulnerability can lead to sensitive information disclosure.
- A threat actor can potentially read SSH keys from users and get a secure shell on the server, which can lead to complete server takeover and ransomware attacks.
- Since it is an unauthenticated vulnerability, with a lot of publicly available exploitation scripts, it can be easily exploited even by actors with limited know-how and resources.
|
- Update your Grafana software to the latest patched versions:
|
References
- TomNomNom: Technical Analysis of the Vulnerability
- Grafana Security Advisory