Grafana Patched Zero-Day Vulnerability Following Dissemination of Exploits on Twitter

Grafana Patched Zero-Day Vulnerability Following Dissemination of Exploits on Twitter

Solution for open-source analytics and interactive visualization Grafana was updated today to solve a high-severity zero-day vulnerability that allowed remote access to local files. Before Grafana Labs gave out patches for impacted versions 8.0.0-beta1 through 8.3.0, details regarding the issue became public earlier this week.

Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7 were recently published to address a path traversal vulnerability that might allow an attacker to traverse outside of the Grafana folder and remotely access protected server areas like /etc/password/. Grafana Labs explained the problem today in a blog post, stating that the fault was with the URL for installed plug-ins, subject to route traversal attacks.

The vulnerable URL route was present on every instance of Grafana since all installs come with a set of plugins loaded by default. Grafana Labs was notified of the vulnerability at the end of last week, on December 3, and developed a remedy that same day. A confidential client release is scheduled for today, with a public release planned for December 14.

According to a second claim, news of the problem began to spread, with confirmation arriving when knowledge about the flaw surfaced in the public space. Technical information and the proof-of-concepts (PoC) for exploiting the weakness were quickly shared on Twitter and GitHub. The bug, now known as CVE-2021-43798, has a severity rating of 7.5 and may still be used on unpatched on-premise servers.

The developer revealed that Grafana Cloud instances are unaffected.

“On 2021-12-03, we received a report that Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.”

Thousands of Grafana servers, according to public sources, are exposed on the internet. If timely upgrading of a vulnerable instance is not practicable, it is suggested that the server be made unreachable to the public web.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.