Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAD7TOkzbi4foTWrCYt9_H1C=khRXDVCER7aZYuQ11qTQXMzSBA@mail.gmail.com>
Date: Wed, 3 Nov 2021 15:24:55 +0100
From: Daniel Lee <daniel@...fana.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-41174 Grafana XSS vulnerability

Today we are releasing Grafana 8.2.3. This patch release includes an
important security fix for an issue that affects all Grafana versions from
8.0.0-beta1.

[Grafana Cloud](https://grafana.com/cloud) instances have already been
patched and an audit did not find any usage of this attack vector. [Grafana
Enterprise](https://grafana.com/products/enterprise) customers were
provided with updated binaries under embargo.

## CVE-2021-41174 XSS vulnerability on unauthenticated pages

### Summary

CVSS Score: 6.9 Medium
CVSS:[CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N/E:U/RL:O/RC:R/CR:L/MAV:N/MAC:H/MPR:N/MUI:R/MS:C/MC:N/MI:H/MA:L](
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N/E:U/RL:O/RC:R/CR:L/MAV:N/MAC:H/MPR:N/MUI:R/MS:C/MC:N/MI:H/MA:L
)

We received a security report to security@...fana.com on 2021-10-21 about a
vulnerability in Grafana regarding the XSS vulnerability.

It was later identified as affecting Grafana versions from 8.0.0-beta1 to
8.2.2. [CVE-2021-41174](
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41174) has been
assigned to this vulnerability.

### Impact

If an attacker is able to convince a victim to visit a URL referencing a
vulnerable page, arbitrary JavaScript content may be executed within the
context of the victim's browser.

The user visiting the malicious link must be unauthenticated and the link
must be for a page that contains the login button in the menu bar.

There are two ways an unauthenticated user can open a page in Grafana that
contains the login button:
- Anonymous authentication is enabled. This means all pages in Grafana
would be open for the attack.
- The link is to an unauthenticated page. The following pages are
vulnerable:
  - `/dashboard-solo/snapshot/*`
  - `/dashboard/snapshot/*`
  - `/invite/:code`

The url has to be crafted to exploit AngularJS rendering and contain the
interpolation binding for AngularJS expressions. AngularJS uses double
curly braces for interpolation binding: {{ }}

An example of an expression would be:
`{{constructor.constructor(‘alert(1)’)()}}`. This can be included in the
link URL like this:

https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1

When the user follows the link and the page renders, the login button will
contain the original link with a query parameter to force a redirect to the
login page. The URL is not validated and the AngularJS rendering engine
will execute the JavaScript expression contained in the URL.

### Attack audit

We can not guarantee that the below will identify all attacks, so if you
find something using the audit process described below, you should consider
doing a full assessment.

#### Through reverse proxy/load balancer logs

To determine if your Grafana installation has been exploited for this
vulnerability, search through your reverse proxy/load balancer access logs
for instances where the path contains `{{` followed by something that would
invoke JavaScript code. For example, this could be code that attempts to
show a fake login page or to steal browser or session data. The [OWASP
cheat sheet](
https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)
has several examples of XSS attacks.

#### Through the Grafana Enterprise audit feature

If you enabled “Log web requests” in your configuration with
`router_logging = true`, look for requests where `path` contains `{{`
followed by something that would invoke JavaScript code.

### Patched versions

Release 8.2.3:

- [Download Grafana 8.2.3](https://grafana.com/grafana/download/8.2.3)
- [Release notes](
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-2-3/)

### Solutions and mitigations

Download and install the appropriate patch for your version of Grafana.

[Grafana Cloud](https://grafana.com/cloud) instances have already been
patched, and [Grafana Enterprise](https://grafana.com/products/enterprise)
customers were provided with updated binaries under embargo.

### Workaround

If for some reason you cannot upgrade, you can use a reverse proxy or
similar to block access to block the literal string `{{` in the path.

Example of an Nginx rule to block the literal string `{{`:

```
location ~ \{\{ {
    deny all;
}
```
### Timeline and postmortem

Here is a detailed timeline starting from when we originally learned of the
issue. All times in UTC.

* 2021-10-21 23:13: Security researcher sends the initial report about an
XSS vulnerability.
* 2021-10-21 23:13: Confirmed to be reproducible in at least versions 8.0.5
and 8.2.2.
* 2021-10-22 02:02 MEDIUM severity declared.
* 2021-10-22 09:22: it is discovered that Grafana instances with anonymous
auth turned on are vulnerable. This includes https://play.grafana.org/ .
* 2021-10-22 09:50: Anonymous access disabled for all instances on Grafana
Cloud as a mitigation measure.
* 2021-10-22 11:15: Workaround deployed on Grafana Cloud that blocks
malicious requests.
* 2021-10-22 12:35: Enabled anonymous access for instances on Grafana
Cloud.
* 2021-10-22 12:51: All instances protected by the workaround. From this
point forward, Grafana Cloud is no longer affected.
* 2021-10-22 14:05 Grafana Cloud instances updated with a fix.
* 2021-10-22 19:23 :Determination that no weekend work is needed as the
issue is of MEDIUM severity and the root cause has been identified.
* 2021-10-25 14:13: Audit of Grafana Cloud concluded, no evidence of
exploitation.
* 2021-10-27 12:00: Grafana Enterprise images released to customers under
embargo.
* 2021-11-03 12:00: Public release.

## Reporting security issues

If you think you have found a security vulnerability, please send a report
to [security@...fana.com](mailto:security@...fana.com). This address can be
used for all of
Grafana Labs' open source and commercial products (including but not
limited to Grafana, Tempo, Loki, k6, Tanka, and  Grafana Cloud, Grafana
Enterprise, and grafana.com). We only accept vulnerability reports at this
address. We would prefer that you encrypt your message to us using our PGP
key. The key fingerprint is:

F988 7BEA 027A 049F AE8E  5CAA D125 8932 BE24 C5CA

The key is available from [ keyserver.ubuntu.com](
https://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0xD1258932BE24C5CA)
by searching for [security@...fana](
https://keyserver.ubuntu.com/pks/lookup?search=security@grafana&fingerprint=on&op=index
).

## Security announcements

There is a Security [category](https://grafana.com/tags/security/) on the
Grafana blog where we will post a summary, remediation, and mitigation
details for any patch containing security fixes and you can subscribe to
updates from our [Security Announcements RSS feed](
https://grafana.com/tags/security/index.xml).

Regards,
Daniel Lee, Grafana Labs

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.