In this week’s digest, we’ll discuss the following:
- Hashicorp Vault Cross-site Scripting Vulnerability
- Grafana Access Control and Race Condition Vulnerabilities
- PMM Authentication Bypass Vulnerability
CVE-2023-2121: Hashicorp Vault Cross-site Scripting Vulnerability
Background
Hashicorp Vault is an open source tool designed to store and manage sensitive data in modern IT environments securely. It acts as a centralized secret management solution, providing a secure way to store and access passwords, API keys, certificates, and other types of secrets. Vault uses a combination of encryption, access control policies, and auditing capabilities to protect sensitive information. Vault Enterprise is the commercial version of HashiCorp Vault. It provides additional features and support tailored for enterprise-scale deployments.
Vulnerability
The vulnerability, tracked as CVE-2023-2121, is an injection vulnerability that allows HTML injection into the Vault Web UI through key values. The affected products include Vault and Vault Enterprise since 1.10.0.
Vault 1.10.0 introduced the ability to easily review the difference between two revisions of kv-v2 (KV Secrets Engine) key-value secrets in Vault’s web UI.
A user with write privileges to a kv-v2 secrets engine mount could provide a string that would be incorrectly sanitized and rendered as raw HTML by Vault’s web UI, leading to an HTML injection.
By default, Vault’s Content Security Policy prevents the execution of inline JavaScript, therefore preventing exposure to cross-site-scripting via this vector. Vault uses three main mechanisms for preventing cross-site scripting; strong typing and input validation on the backend, framework-provided output encoding on the frontend, and a restrictive, customizable content security policy that includes script-src ‘self’ by default.
It should be noted that the impact of this vulnerability is low since an attacker needs write privileges to a kv-v2 secrets engine in order to inject payloads.
Mitigation
- Upgrading to the patched version of Vault i.e. 1.14.0, 1.13.3, 1.12.7, and 1.11.11, is highly recommended.
Grafana Access Control and Race Condition Vulnerabilities
Background
Grafana is an open-source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources. Grafana is a popular tool for monitoring and visualizing metrics from various sources, including Prometheus, InfluxDB, Graphite, and Elasticsearch. It can also be used to create dashboards that display data from multiple sources in a single view.
Vulnerabilities
Grafana versions 9.5 > 9.5.3, 9.4 > 9.4.12, 9.3 > 9.3.15, 9.0 > 9.2.19 and 8.0 > 8.5.26 have several vulnerabilities, which we will cover.
CVE-2023-2183: Broken Access Control
Grafana offers the functionality to send alerts via the API or the Web UI user panel.
This vulnerability, tracked as CVE-2023-2183, allows an attacker in the Viewer role to send alerts by the API Alert-Test Function.This issue occurs because the API does not check access of the user to the API alert function. The vulnerability can be seen being abused in this POC.
One point to be noted here is that this option is not available in the user panel UI for the Viewer role, only via the API.
This vulnerability enables malicious users to abuse the functionality by sending multiple alert messages via email, Slack, and other platforms; spamming users; preparing phishing attacks or blocking SMTP server / IP; or automatically moving all messages to a spam folder or adding them to a black list IP.
Mitigation
- Upgrading to the patched versions of Grafana i.e., 9.5.3, 9.4.12, 9.3.15, 9.2.19, and 8.5.26, is highly recommended.
- To prevent spamming via email, consider making changes to the SMTP server configuration settings by limiting the ability to send multiple emails to the same email address per unit time/threshold.
CVE-2023-2801: DS Proxy Race Condition
Grafana offers the functionality to create mixed queries by using data from multiple data sources. For example, you could create a mixed query that uses data from both Prometheus and InfluxDB. Public Dashboards is another feature in Grafana that allows users to share dashboards with anyone outside your organization.
The vulnerability, tracked as CVE-2023-2801, exists in the way Grafana handles mixed queries. When Grafana receives a mixed query, it tries to execute the query against each data source in turn. However, if the query is malformed, this can cause Grafana to crash. More specifically, if you send an API call to the /ds/query or a public dashboard query endpoint that has mixed queries, you can crash your Grafana instance. The only feature that uses mixed queries within Grafana right now is Public Dashboards, but it is also possible to cause this issue by calling the API directly.
NOTE: If you have Public Dashboards(PD) enabled, this vulnerability is rated as High by Grafana. Even if you have disabled PD, this vulnerability still poses risk. However, triggering the issue requires data source read privileges and access to the Grafana API through a developer script.
Mitigation
- Upgrading to the patched versions of Grafana i.e., 9.5.3, 9.4.12, 9.3.15, 9.2.19, and 8.5.26, is highly recommended.
- Try to avoid using mixed queries with Public Dashboards.
CVE-2023-34409: PMM Authentication Bypass Vulnerability
Background
Percona Monitoring and Management (PMM) is a monitoring and management tool for open source databases, including MySQL, PostgreSQL, and MongoDB. It collects metrics from your databases and hosts and displays them in a web-based dashboard. PMM also includes features for troubleshooting, alerting, and performance optimization.
Vulnerability
This vulnerability, tracked as CVE-2023-34409, is an authentication bypass vulnerability that exists in the way PMM handles authentication. All versions of PMM starting with 2.0.0 are assumed to be vulnerable.
In the vulnerable versions of PMM, the authentication function would strip segments of the URL until it found a matching pattern in its ruleset. The function does not properly sanitize URL paths to reject path traversal attempts. This flaw could be exploited by an unauthenticated remote attacker by feeding a malformed URL to PMM, which can bypass authentication and access PMM logs resulting in the disclosure of sensitive information and potential escalation of privileges.
Mitigation
- Upgrading to the patched versions of PMM i.e.2.37.1 is highly recommended, particularly if the PMM instance is accessible directly from the internet.
Comments