Short Summary of CVE-2021-43798:
On December 2, Grafana released an emergency security patch for critical vulnerability CVE-2021-43798, after proof-of-concept code to exploit the issue was published online over the weekend. Grafana was first made aware of the zero-day by a Detectify Crowdsource security researcher who found and reported it to Grafana. This summary expands on the bug finding, the potential impact if an attacker would have exploited it, mitigations and how Detectify tools can be utilized to stay ahead in such instances. See the detailed write-up from the Crowdsource hacker on Detectify Labs.
The vulnerability, dubbed CVE-2021-43798 impacted the Grafana dashboard, which is used by companies around the world to monitor and aggregate logs and other parameters from across their local or remote networks.
The privately reported bug became a leaked zero-day but was first spotted by Detectify Crowdsource hacker Jordy Versmissen on December 2, after which Grafana was notified by Detectify about the bug.
The issue was patched with the release of Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7. There are reportedly thousands of Grafana servers exposed on the public internet. However, in its patch notes, Grafana Labs said that its cloud-hosted Grafana dashboards were not impacted by the CVE-2021-43798 vulnerability. It said, “given the AWS outage yesterday, we wanted to re-amplify the message that all users should upgrade their Grafana 8.x instances as soon as possible.”
Attackers could get unauthorized access to source files
Also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”, a path traversal attack can allow an attacker to read files outside the Grafana application’s folder and access files that the current user has permissions to read on the server. Bad actors can trick either the web server or the web application running on it to access files that exist outside of the web root folder.
Tom Hudson, Security Research Tech Lead at Detectify says, “These files could contain credentials that could be used to gain access to customer data. Path traversal can also be used to reveal a company’s source code, which could lead an attacker to discover even more sensitive information or other vulnerabilities.”
Mitigation
Detectify customers are equipped with the tools and resources that flag bugs such as Path Traversal and vulnerabilities as they use the Surface Monitoring and Application Scanning products. After the bug was detected, Detectify released a module specifically for CVE-2021-43798 and such bugs where users are alerted of similar bugs and potential risks ahead of time. To stay on top of your external attack surface, sign up to our 2-week free trial.
Another effective way to prevent file path traversal vulnerabilities is to avoid passing user-supplied input to filesystem APIs altogether. Furthermore, users must update their web server and operating system to the latest versions available. If updating a vulnerable instance is not possible in a timely manner, it is recommended to make the server inaccessible from the public web.
Power of ethical hackers
“This event shows the power of having a crowdsource element in your security setup. The best way to protect what you expose online is to liaise with ethical hackers who always have their ears to the ground and can alert you when they find security issues, before they risk being exploited by attackers” says Hudson.
Read more to get insights about how the bug was found and how it can be mitigated in other third party applications in a Detectify Labs technical report.
For more information, please contact:
Fredrika Isaksson, PR Manager
fredrika.isaksson@detectify.com
+46 (0) 76 – 774 96 66 or press@detectify.com
Erica Anderson
Offleash for Detectify
detectify@offleashpr.com
About Detectify
Detectify continuously scans your web-facing attack surface for CVE-2021-43798 and other wildly exploited vulnerabilities and alerts you about them so you can stay on top of threats in the cloud. We believe that world-class cybersecurity knowledge should be accessible to everyone. Powered by a community of handpicked ethical hackers, Detectify automates real attack methods and brings it into the hands of security teams and web app owners.
Start continuously monitoring your external attack surface with fewer clicks with Detectify. Go hack yourself.