Grafana CVE-2021-43798 Vulnerability Actively Exploited in the Wild

Category	Vulnerability Intelligence
Vulnerability Class	Local File Inclusion(Unauthenticated)
CVE ID	CVE-2021-43798
CVSS:3.0 Score	7.5
TLP	GREEN
Reference	*https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Executive Summary

Grafana recently released an advisory and patch for a critical path traversal vulnerability which leads to an unauthenticated Local File inclusion.
Grafana is a multi-platform open-source analytics and interactive visualization web application.
This vulnerability affects Grafana versions v8.0.0-beta1 through v8.3.0, however, the Grafana Cloud remains unaffected.
Threat actors can leverage this flaw by crafting an HTTP request to read sensitive files from servers, thus leading to sensitive information disclosure.

Threat actor discussing CVE-2021-43798 on a cybercrime forum

Analysis

Grafana is an open-source solution for generating metrics and data about applications and then creating dashboards that provide insight into user behavior, application behavior, the frequency of errors occurring in production or a pre-production environment, the type of errors occurring, and the contextual scenarios by providing relative data, among other things.
Grafana has become a popular solution to analyze and generate data. According to Censys, Grafana is currently running on 114,575 instances.
Search results from Censys

To exploit this vulnerability, an attacker simply needs to send a GET request to the targeted instance. For example: POC - {host}/public/plugins/{pluginID}/../../../../../../../../etc/passwd

In the above example, the “pluginID” can be a default plugin that comes pre-installed with Grafana, such as:

alertlist
annolist
barchart
bargauge
candlestick
cloudwatch
dashlist
Elasticsearch

Screenshot of the information extracted by the use of GET request

Information from OSINT

Ever since this vulnerability was made public, there has been continuous scanning for vulnerable targets. Because of the ease of exploitation, threat actors have begun exploiting this vulnerability on a large scale, in the wild. Multiple POC scripts are also available for this vulnerability, on various open-source platforms such as GitHub.

Vulnerability Analysis

The vulnerability arises as a result of an interesting scenario in which the developer either misunderstood or did not thoroughly read the documentation of the functions being used, which is available at: pkg/api/plugins.go

The functions being used by the developer

In this scenario, the developer made this error by misinterpreting the functionality of a built-in Golang function called Clean.

Screenshot of the documentation of the Golang Clean function

As the documentation mentions, it doesn't strip ".." elements at the beginning of a non-rooted path; i.e. if the path doesn't start with "/", any leading "../" sequences won't be removed. As highlighted in the above screenshots, the developer mentions in the comment to ignore the alert flagged by Gosec tool which is a Golang Security Checker. This mistake led to a path traversal vulnerability.

Impact & Mitigation

Impact

Mitigation

An LFI (Local File Inclusion) vulnerability can lead to sensitive information disclosure.
A threat actor can potentially read SSH keys from users and get a secure shell on the server, which can lead to complete server takeover and ransomware attacks.
Since it is an unauthenticated vulnerability, with a lot of publicly available exploitation scripts, it can be easily exploited even by actors with limited know-how and resources.

Update your Grafana software to the latest patched versions:
- 8.3.1
- 8.2.7
- 8.1.8
- 8.0.7