Grafana Fixes Zero-day Vulnerability After Exploits Spread over Twitter
Open-source analytics and interactive visualization solution Grafana received an emergency update today to fix a high-severity, zero-day vulnerability that enabled remote access to local files.
Details about the issue started to become public earlier this week, before Grafana Labs rolled out updates for affected versions 8.0.0-beta1 through 8.3.0.
Plugin URL path
Earlier today, Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7 were released to fix a path traversal vulnerability that could allow an attacker to navigate outside the Grafana folder and remotely access restricted locations on the server, such as /etc/passwd/.
Grafana Labs published a blog post today explaining that problem was with the URL for installed plug-ins, which was vulnerable to path traversal attacks.
Since all Grafana installations have a set of plugins installed by default, the vulnerable URL path was present on every instance of the application.
Grafana Labs received a report about the vulnerability at the end of last week, on December 3, and came up with a fix on the same day.
The developer planned a private customer release for today and a public one for December 14.
PoC spreads over Twitter and GitHub
A second report came in yesterday, though, indicating that information about the issue started to spread, the confirmation coming when news about the bug appeared in the public space.
It didn’t take long for technical details along with proof-of-concepts (PoC) to exploit the bug to become available on Twitter and GitHub.
Since the privately reported bug had become a leaked zero-day, Grafana Labs was forced to publish the fix:
- 2021-12-06: Second report about the vulnerability received
- 2021-12-07: We received information that the vulnerability has been leaked to the public, turning it into a 0day
- 2021-12-07: Decision made to release as quickly as feasible
- 2021-12-07: Private release with reduced 2-hour grace period, not the usual 1-week timeframe
- 2021-12-07: Public release
Now tracked as CVE-2021-43798, the flaw received a 7.5 severity score and is still exploitable on on-premise servers that have not been updated.
Grafana Cloud instances have not been impacted, the developer said today.
According to public reports, there are thousands of Grafana servers exposed on the public internet. If updating a vulnerable instance is not possible in a timely manner, it is recommended to make the server inaccessible from the public web.