Visualize this

Grafana web security vulnerability opened the door to numerous attacks

Research from a pair of bug bounty hunters has led to the discovery of a high-impact web security vulnerability in popular dashboard tool Grafana.

The cross-site request forgery (CSRF) vulnerability – tracked as CVE-2022-21703 – opens the door for attackers to elevate their privileges through cross-origin attacks against administrators on systems running vulnerable versions of the open source platform.

Grafana branch versions prior to 7.5.15 and 8.3.5 are all vulnerable and in need of security triage, according to the researchers.

Fortunately, patches are already available.

Catch up with the latest security research news and analysis

Security researchers using the handles ‘jub0bs’ and ‘abrahack’ demonstrated that Grafana instances configured to allow frame embedding of authenticated dashboards are at increased risk from potential cross-origin attacks.

There are no known workarounds, so system administrators are advised to upgrade Grafana installations as soon as possible.

Security shortfalls

Bug hunter jub0bs told The Daily Swig that the potential consequences of the vulnerability were wide-ranging.

“Impact includes stored XSS [cross-site scripting], privesc [privilege escalation] all the way to Grafana admin of the targeted instance, full-read SSRF [server-side request forgery], and also pivoting against other apps running on the same origin (e.g. GitLab),” they explained.

“The attacker would then have to lure a high-privilege Grafana user to the vulnerable page on that subdomain.”

RELATED Grafana urges web devs to update following path traversal bug disclosure

The researcher said that the vulnerability stemmed from a combination of three security shortfalls: over-reliance on the SameSite cookie attribute, weak validation of requests’ content type, and incorrect assumptions about cross-origin resource sharing (CORS).

There are some pre-conditions for a successful attack, but even so assaults might easily be possible.

They explained: “If an attacker is targeting a Grafana instance with a default configuration on, say, grafana[.]example[.com], an XSS or subtko [subdomain takeover] on some subdomain of example[.]com is needed.”

In a technical blog post, jub0bs and abrahack explain their research in some depth.

The Daily Swig invited Grafana to comment on the latest research into its platform, but we’re yet to hear back.

The issue has been fixed in Grafana versions 7.5.15 and 8.3.5.

YOU MIGHT ALSO LIKE Internet Society data leak exposed 80,000 members’ login details