Grafana CVE-2021-43798 Vulnerability Actively Exploited in the Wild

Summary

Grafana recently released an advisory and patch for a critical path traversal vulnerability which leads to an unauthenticated Local File inclusion. This vulnerability affects Grafana versions v8.0.0-beta1 through v8.3.0, however, the Grafana Cloud remains unaffected.
Category Vulnerability Intelligence
Vulnerability Class Local File Inclusion(Unauthenticated)
CVE ID CVE-2021-43798
CVSS:3.0 Score 7.5
TLP GREEN
Reference *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol
 

Executive Summary

  • Grafana recently released an advisory and patch for a critical path traversal vulnerability which leads to an unauthenticated Local File inclusion.
  • Grafana is a multi-platform open-source analytics and interactive visualization web application.
  • This vulnerability affects Grafana versions v8.0.0-beta1 through v8.3.0, however, the Grafana Cloud remains unaffected.
  • Threat actors can leverage this flaw by crafting an HTTP request to read sensitive files from servers, thus leading to sensitive information disclosure.
Threat actor discussing CVE-2021-43798 on a cybercrime forum
Threat actor discussing CVE-2021-43798 on a cybercrime forum
 

Analysis

  • Grafana is an open-source solution for generating metrics and data about applications and then creating dashboards that provide insight into user behavior, application behavior, the frequency of errors occurring in production or a pre-production environment, the type of errors occurring, and the contextual scenarios by providing relative data, among other things.
  • Grafana has become a popular solution to analyze and generate data. According to Censys, Grafana is currently running on 114,575 instances.
    Search results from Censys
    Search results from Censys
     
  • To exploit this vulnerability, an attacker simply needs to send a GET request to the targeted instance. For example: POC - {host}/public/plugins/{pluginID}/../../../../../../../../etc/passwd
In the above example, the “pluginID” can be a default plugin that comes pre-installed with Grafana, such as:
  • alertlist
  • annolist
  • barchart
  • bargauge
  • candlestick
  • cloudwatch
  • dashlist
  • Elasticsearch 
Screenshot of the information extracted by the use of GET request
Screenshot of the information extracted by the use of GET request
 

Information from OSINT

Ever since this vulnerability was made public, there has been continuous scanning for vulnerable targets. Because of the ease of exploitation, threat actors have begun exploiting this vulnerability on a large scale, in the wild. Multiple POC scripts are also available for this vulnerability, on various open-source platforms such as GitHub.
POC script available for free on Github
POC script available for free on Github
 

Vulnerability Analysis

The vulnerability arises as a result of an interesting scenario in which the developer either misunderstood or did not thoroughly read the documentation of the functions being used, which is available at: pkg/api/plugins.go
The functions being used by the developer
The functions being used by the developer
  In this scenario, the developer made this error by misinterpreting the functionality of a built-in Golang function called Clean
Screenshot of the documentation of the Golang Clean function
Screenshot of the documentation of the Golang Clean function
  As the documentation mentions, it doesn't strip ".." elements at the beginning of a non-rooted path; i.e. if the path doesn't start with "/", any leading "../" sequences won't be removed. As highlighted in the above screenshots, the developer mentions in the comment to ignore the alert flagged by Gosec tool which is a Golang Security Checker. This mistake led to a path traversal vulnerability.  

Impact & Mitigation

Impact Mitigation
  • An LFI (Local File Inclusion) vulnerability can lead to sensitive information disclosure. 
  • A threat actor can potentially read SSH keys from users and get a secure shell on the server, which can lead to complete server takeover and ransomware attacks.
  • Since it is an unauthenticated vulnerability, with a lot of publicly available exploitation scripts, it can be easily exploited even by actors with limited know-how and resources. 
  • Update your Grafana software to the latest patched versions:
    • 8.3.1
    • 8.2.7
    • 8.1.8
    • 8.0.7
 

References

  1. TomNomNom: Technical Analysis of the Vulnerability 
  2. Grafana Security Advisory

Table of Contents

Request an easy and customized demo for free