Customer Advisory for Awareness | Grafana Issues a Security Patch After an Exploit for CVE-2021-43798 is Made Public

December 08, 2021

Prepared by Deepwatch Threat Intel Team

Key Points:

  • After security researchers released proof-of-concept code to exploit the issue over the weekend, Grafana Labs issued an emergency security update today to patch a critical vulnerability in its flagship product self-hosted Grafana dashboard versions from v8.0.0-beta1 through v8.3.0.
  • The flaw, tracked as CVE-2021-43798, is a directory traversal attack that allows a threat actor to read files outside the Grafana application’s folder, such as password and configuration files.
  • Deepwatch’s Threat Intel Team recommends organizations that deploy the self-hosted Grafana dashboard update to the latest version as soon as possible. At the time of this writing, Qualys (QID 150439, and QID 730294) and Rapid7 can scan for this vulnerability. Unfortunately, no Tenable Plugin is available.

Summary:

After security researchers released proof-of-concept code to exploit the issue over the weekend, Grafana Labs issued an emergency security update today to patch a critical vulnerability. The vulnerability affects all self-hosted versions from v8.0.0-beta1 through v8.3.0.

Grafana released versions 8.3.1, 8.2.7, 8.1.8, and 8.0.7 to patch the issue. In their security advisory, Grafana Labs said that its cloud-hosted Grafana dashboards “at no time has Grafana Cloud been vulnerable.”

The flaw, tracked as CVE-2021-43798, affects the company’s main product, the Grafana dashboard, which is used to “query, visualize, alert on and understand your metrics no matter where they are stored.” The vulnerability, known as a directory traversal attack, allows an attacker to read files outside the Grafana application’s folder. If exploited, a threat actor can use Grafana plugin URLs to bypass the Grafana app folder and access files stored on the underlying server, such as password and configuration files.

The Record reported recently that proof-of-concept code was shared on Twitter and GitHub. However, Grafana did say in its statement to the Record “that it was aware of the issue since last week, when it initially received a bug report, but was eventually forced into releasing an emergency patch earlier today after proof-of-concept code to exploit the bug was published online.”

The Record’s reporting stated that several security researchers claimed that the flaw was being actively exploited. Still, it is unknown if bug bounty hunters or threat actors were carrying out the exploitation, and they could not confirm with independent third parties.

According to Shodan data, there are just over 2,000 Grafana servers exposed online, with the majority residing in the US and Europe, as can be seen in the figure below.

Deepwatch Threat Intelligence Outlook:

The Deepwatch Threat Intel Team estimates with moderate confidence that with proof-of-concept code available and several exposed servers accessible online, it is likely that directory traversal attempts will increase in the near term with the intent to gather passwords, configuration, other sensitive files, or for further exploitation. Therefore, it is advisable that organizations that deploy the self-hosted Grafana dashboard update to the latest version as soon as possible. At the time of this writing, Qualys (QID 150439, and QID 730294) and Rapid7 can scan for this vulnerability. Unfortunately, no Tenable Plugin is available.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog