High-risk bug could allow attackers to gain internal network access

UPDATED Grafana has moved quickly to resolve an access control vulnerability that posed a severe threat to users of the open source analytics and data visualization tool.

The vulnerability – discovered by security researcher Justin Gardner and tracked as CVE-2020-13379 – involved the ‘avatar’ feature of the technology.

In an advisory, Grafana states: “This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on.”

Grafana releases 3.0.1 through 7.0.1 are vulnerable. Users are urged to upgrade to either Grafana 6.7.4 or 7.0.2, as appropriate.

RECOMMENDED Kubernetes security flaw also earns bug bounty from Microsoft

The Grafana security advisory is thin on details, but Gardner was able to offer more technical insight.

“The impact of this vulnerability is that it allows attackers to pivot into the internal networks of the Grafana instance,” Gardner told The Daily Swig.

“This allows for hitting localhost, internal networks, and most importantly the metadata instances associated with various cloud providers.

“Using this exploit, I was able to extract AWS credentials which have given me access to more 10k servers in various bug bounty programs,” he added.

Audit trail

Gardner discovered the vulnerability after auditing the source code available at the Grafana GtHub repo.

“When auditing the source code, I looked at any routes that did not require authentication,” he explained. “From there I found the /avatar/ route and noted that it takes user input and puts it into an HTTP request.

“I turned on debug logging in Grafana and tried to chain open redirects together until I was able to control the result of the request,” the security researcher concluded.

Prompt triage

Gardner first notified Grafana of the vulnerability on May 14. The vendor confirmed the flaw within a day and developed a patch within two weeks.

“I received a response to the report within 24 hours and was confident that the team was working on a patch from the very beginning,” he said.

As per his initial plan, Gardner released a write-up of the vulnerability in early August. 

The CVE-2020-13379 vulnerability, which gives an unauthenticated full-read server-side request forgery (SSRF) in Grafana, was presented by Gardner at HackerOne’s HacktivityCon on August 1.

This story was updated on August 3 to add a link to Gardner's write-up of the Grafana vulnerability.

READ MORE VMware Cloud Director vulnerability allowed for full cloud infrastructure takeover