ghsa-69j6-29vr-p3j9
Vulnerability from github
Published
2021-10-05 20:24
Modified
2021-11-18 15:13
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
Authentication bypass for viewing and deletions of snapshots
Details

Today we are releasing Grafana 7.5.11, and 8.1.6. These patch releases include an important security fix for an issue that affects all Grafana versions from 2.0.1.

Grafana Cloud instances have already been patched and an audit did not find any usage of this attack vector. Grafana Enterprise customers were provided with updated binaries under embargo.

8.1.5 contained a single fix for bar chart panels. We believe that users can expedite deployment by moving from 8.1.4 to 8.1.6 directly.

CVE-2021-39226 Snapshot authentication bypass

Summary

CVSS Score: 9.8 Critical CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

We received a security report to security@grafana.com on 2021-09-15 about a vulnerability in Grafana regarding the snapshot feature. It was later identified as affecting Grafana versions from 2.0.1 to 8.1.6. CVE-2021-39226 has been assigned to this vulnerability.

Impact

Unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths:

  • /dashboard/snapshot/:key, or
  • /api/snapshots/:key

If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path:

  • /api/snapshots-delete/:deleteKey

Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths:

  • /api/snapshots/:key, or
  • /api/snapshots-delete/:deleteKey

The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.

Attack audit

While we can not guarantee that the below will identify all attacks, if you do find something with the below, you should consider doing a full assessment.

Through reverse proxy/load balancer logs

To determine if your Grafana installation has been exploited for this vulnerability, search through your reverse proxy/load balancer access logs for instances where the path is /dashboard/snapshot/:key, /api/snapshots/:key or /api/snapshots-delete/:deleteKey, and the response status code was 200 (OK). For example, if you’re using the Kubernetes ingress-nginx controller and sending logs to Loki, use a LogQL query like {job="nginx-ingress-controller"} |= "\"status\": 200" |= "\"uri\": \"/api/snapshots/:key\"".

Through the Grafana Enterprise audit feature

If you enabled “Log web requests” in your configuration with router_logging = true, look for "requestUri":"/api/snapshots-delete/”,“requestUri":"/api/snapshots/:key", or "type":"snapshot" in combination with "action":"delete".

Patched versions

Release 8.1.6:

Release 7.5.11:

Solutions and mitigations

Download and install the appropriate patch for your version of Grafana.

Grafana Cloud instances have already been patched, and Grafana Enterprise customers were provided with updated binaries under embargo.

Workaround

If for some reason you cannot upgrade:

You can use a reverse proxy or similar to block access to the literal paths * /api/snapshots/:key * /api/snapshots-delete/:deleteKey * /dashboard/snapshot/:key * /api/snapshots/:key

They have no normal function and can be disabled without side effects.

Timeline and postmortem

Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.

  • 2021-09-15 14:49: Tuan Tran theblackturtle0901@gmail.com sends initial report about viewing snapshots without authentication
  • 2021-09-15 15:56: Initial reproduction
  • 2021-09-15 17:10: MEDIUM severity declared
  • 2021-09-15 18:58: Workaround deployed on Grafana Cloud
  • 2021-09-15 19:15: /api/snapshots/:key found to be vulnerable as well
  • 2021-09-15 19:30: /api/snapshots/:key blocked on Grafana Cloud
  • 2021-09-16 09:31: /api/snapshots-delete/:deleteKey found to be vulnerable as well, blocked on Grafana Cloud. From this point forward, Cloud is not affected any more.
  • 2021-09-16 09:35: HIGH severity declared
  • 2021-09-16 11:19: Realization that combination of deletion and viewing allows enumeration and permanent DoS
  • 2021-09-16 11:19: CRITICAL declared
  • 2021-09-17 10:53: Determination that no weekend work is needed. While issue is CRITICAL, scope is very limited
  • 2021-09-17 14:26: Audit of Grafana Cloud concluded, no evidence of exploitation
  • 2021-09-23: Grafana Cloud instances updated
  • 2021-09-28 12:00: Grafana Enterprise images released to customers under embargo
  • 2021-10-05 17:00: Public release

Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs's open source and commercial products (including but not limited to Grafana, Tempo, Loki, Amixr, k6, Tanka, and Grafana Cloud, Grafana Enterprise, and grafana.com). We only accept vulnerability reports at this address. We would prefer that you encrypt your message to us using our PGP key. The key fingerprint is:

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keys.gnupg.net by searching for [security@grafana](http://keys.gnupg.net/pks/lookup?search=security@grafana&fingerprint=on&op=index.

Security announcements

We maintain a category on the community site named Security Announcements, where we will post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to email updates to this category if you have a grafana.com account and sign in to the community site, or via updates from our Security Announcements RSS feed.

Acknowledgement

We would like to thank Tran Viet Tuan for responsibly disclosing the initially discovered vulnerability to us.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.5.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39226"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-05T18:49:35Z",
    "nvd_published_at": "2021-10-05T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Today we are releasing Grafana 7.5.11, and 8.1.6. These patch releases include an important security fix for an issue that affects all Grafana versions from 2.0.1.\n\n[Grafana Cloud](https://grafana.com/cloud) instances have already been patched and an audit did not find any usage of this attack vector. [Grafana Enterprise](https://grafana.com/products/enterprise) customers were provided with updated binaries under embargo.\n\n8.1.5 contained a single fix for bar chart panels. We believe that users can expedite deployment by moving from 8.1.4 to 8.1.6 directly.\n\n## CVE-2021-39226 Snapshot authentication bypass\n\n### Summary\n\nCVSS Score: 9.8 Critical\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nWe received a security report to [security@grafana.com](mailto:security@grafana.com) on 2021-09-15 about a vulnerability in Grafana regarding the snapshot feature. It was later identified as affecting Grafana versions from 2.0.1 to 8.1.6. [CVE-2021-39226](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39226) has been assigned to this vulnerability.\n\n### Impact\nUnauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths:\n\n* `/dashboard/snapshot/:key`, or\n* `/api/snapshots/:key`\n\nIf the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path:\n\n* `/api/snapshots-delete/:deleteKey`\n\nRegardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths:\n\n* `/api/snapshots/:key`, or\n* `/api/snapshots-delete/:deleteKey`\n\nThe combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.\n\n### Attack audit\n\nWhile we can not guarantee that the below will identify all attacks, if you do find something with the below, you should consider doing a full assessment.\n\n#### Through reverse proxy/load balancer logs\n\nTo determine if your Grafana installation has been exploited for this vulnerability, search through your reverse proxy/load balancer access logs for instances where the path is `/dashboard/snapshot/:key`, `/api/snapshots/:key` or `/api/snapshots-delete/:deleteKey`, and the response status code was 200 (OK).\nFor example, if you\u2019re using the Kubernetes ingress-nginx controller and sending logs to Loki, use a LogQL query like `{job=\"nginx-ingress-controller\"} |= \"\\\"status\\\": 200\" |= \"\\\"uri\\\": \\\"/api/snapshots/:key\\\"\"`.\n\n#### Through the Grafana Enterprise audit feature\n\nIf you enabled \u201cLog web requests\u201d in your configuration with `router_logging = true`, look for\n`\"requestUri\":\"/api/snapshots-delete/\u201d`,`\u201crequestUri\":\"/api/snapshots/:key\"`, or `\"type\":\"snapshot\"` in combination with `\"action\":\"delete\"`.\n\n### Patched versions\n\nRelease 8.1.6: \n\n- [Download Grafana 8.1.6](https://grafana.com/grafana/download/8.1.6)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/)\n\nRelease 7.5.11: \n\n- [Download Grafana 7.5.11](https://grafana.com/grafana/download/7.5.11)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/)\n\n### Solutions and mitigations\n\nDownload and install the appropriate patch for your version of Grafana.\n\n[Grafana Cloud](https://grafana.com/cloud) instances have already been patched, and [Grafana Enterprise](https://grafana.com/products/enterprise) customers were provided with updated binaries under embargo.\n\n### Workaround\n\nIf for some reason you cannot upgrade:\n\nYou can use a reverse proxy or similar to block access to the literal paths\n* `/api/snapshots/:key`\n* `/api/snapshots-delete/:deleteKey`\n* `/dashboard/snapshot/:key`\n* `/api/snapshots/:key`\n\nThey have no normal function and can be disabled without side effects.\n\n### Timeline and postmortem\n\nHere is a detailed timeline starting from when we originally learned of the issue. All times in UTC.\n\n* 2021-09-15 14:49: Tuan Tran theblackturtle0901@gmail.com sends initial report about viewing snapshots without authentication\n* 2021-09-15 15:56: Initial reproduction\n* 2021-09-15 17:10: MEDIUM severity declared\n* 2021-09-15 18:58: Workaround deployed on Grafana Cloud\n* 2021-09-15 19:15: `/api/snapshots/:key` found to be vulnerable as well\n* 2021-09-15 19:30: `/api/snapshots/:key` blocked on Grafana Cloud\n* 2021-09-16 09:31: `/api/snapshots-delete/:deleteKey` found to be vulnerable as well, blocked on Grafana Cloud. From this point forward, Cloud is not affected any more.\n* 2021-09-16 09:35: HIGH severity declared\n* 2021-09-16 11:19: Realization that combination of deletion and viewing allows enumeration and permanent DoS\n* 2021-09-16 11:19: CRITICAL declared\n* 2021-09-17 10:53: Determination that no weekend work is needed. While issue is CRITICAL, scope is very limited\n* 2021-09-17 14:26: Audit of Grafana Cloud concluded, no evidence of exploitation\n* 2021-09-23: Grafana Cloud instances updated\n* 2021-09-28 12:00: Grafana Enterprise images released to customers under embargo\n* 2021-10-05 17:00: Public release\n\n## Reporting security issues\n\nIf you think you have found a security vulnerability, please send a report to [security@grafana.com](mailto:security@grafana.com). This address can be used for all of\nGrafana Labs\u0027s open source and commercial products (including but not limited to Grafana, Tempo, Loki, Amixr, k6, Tanka, and  Grafana Cloud, Grafana Enterprise, and grafana.com). We only accept vulnerability reports at this address. We would prefer that you encrypt your message to us using our PGP key. The key fingerprint is:\n\nF988 7BEA 027A 049F AE8E  5CAA D125 8932 BE24 C5CA\n\nThe key is available from [keys.gnupg.net](http://keys.gnupg.net/pks/lookup?op=get\u0026fingerprint=on\u0026search=0xD1258932BE24C5CA) by searching for [security@grafana](http://keys.gnupg.net/pks/lookup?search=security@grafana\u0026fingerprint=on\u0026op=index.\n\n## Security announcements\n\nWe maintain a category on the community site named [Security Announcements](https://community.grafana.com/c/security-announcements),\nwhere we will post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to email updates to this category if you have a grafana.com account and sign in to the community site, or via updates from our [Security Announcements RSS feed](https://community.grafana.com/c/security-announcements.rss).\n\n## Acknowledgement\n\nWe would like to thank [Tran Viet Tuan](https://github.com/theblackturtle) for responsibly disclosing the initially discovered vulnerability to us.",
  "id": "GHSA-69j6-29vr-p3j9",
  "modified": "2021-11-18T15:13:27Z",
  "published": "2021-10-05T20:24:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39226"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grafana/grafana"
    },
    {
      "type": "WEB",
      "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11"
    },
    {
      "type": "WEB",
      "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20211029-0008"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/10/05/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authentication bypass for viewing and deletions of snapshots"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.