In this week’s digest, we’ll cover:
- Hashicorp Vault Cross-Site Scripting Vulnerability
- Grafana access control and race condition vulnerabilities
- PMM Authentication Bypass Vulnerability
CVE-2023-2121: Hashicorp Vault Cross-Site Scripting Vulnerability
Background
Hashicorp Vault is an open source tool designed to securely store and manage sensitive data in modern IT environments. It acts as a centralized secrets management solution, providing a secure way to store and access passwords, API keys, certificates, and other types of secrets. Vault uses a combination of encryption, access control policies, and auditing capabilities to protect sensitive information. Vault Enterprise is the commercial version of HashiCorp Vault. Provides additional features and support for enterprise-scale deployments.
Vulnerability
Vulnerabilities are tracked as CVE-2023-2121is an injection vulnerability that allows HTML injection into the Vault web UI via a key value. Affected products include Vault and Vault Enterprise from 1.10.0 onwards.
Vault 1.10.0 introduced the ability to easily see the differences between two revisions. kv-v2 (KV Secrets Engine) Vault’s web UI key-value secrets.
A user with write permissions to the kv-v2 secret engine mount can cause an HTML injection if the Vault web UI supplies a string that is incorrectly sanitized and rendered as raw HTML.
By default, Vault’s Content Security Policy prevents inline JavaScript execution, thus preventing exposure to cross-site scripting through this vector. Vault uses three main mechanisms to prevent cross-site scripting. Strong typing and input validation on the backend, framework-provided output encoding on the frontend, and a restrictive and customizable content security policy that includes script-src ‘self’ by default.
Note that the impact of this vulnerability is low as the attacker needs write access to the kv-v2 secret engine to inject the payload.
relief
- We highly recommend upgrading to patched Vault versions (1.14.0, 1.13.3, 1.12.7, and 1.11.11).
Grafana access control and race condition vulnerabilities
Background
Grafana is an open source analytics and interactive visualization web application. Connect to any supported data source to bring charts, graphs, and alerts to the web. Grafana is a popular tool for monitoring and visualizing metrics from various sources such as Prometheus, InfluxDB, Graphite and Elasticsearch. It can also be used to create dashboards that display data from multiple sources in a single view.
Vulnerability
Grafana versions 9.5 > 9.5.3, 9.4 > 9.4.12, 9.3 > 9.3.15, 9.0 > 9.2.19 and 8.0 > 8.5.26 have some vulnerabilities and we will discuss them.
CVE-2023-2183: broken access control
Grafana provides the ability to send alerts via API or web UI user panel.
This vulnerability is tracked as CVE-2023-2183This issue occurs because the API does not check the user’s access to the API Alerts feature. We can confirm that this vulnerability has been exploited. POC.
One thing to note here is that this option is not available in the User Panel UI for the Viewer role, only via the API.
This vulnerability allows malicious users to exploit functionality by sending multiple warning messages via email, Slack, and other platforms. Spam your users. Prepare for phishing attacks or block SMTP servers/IPs. Alternatively, automatically move all messages to the spam folder or add them to blacklist IPs.
relief
- We strongly recommend upgrading to patched versions of Grafana (9.5.3, 9.4.12, 9.3.15, 9.2.19, and 8.5.26).
- To prevent email spamming, consider changing your SMTP server configuration settings by limiting the ability to send multiple emails to the same email address per unit of time/threshold. please give me.
CVE-2023-2801: race condition in DS proxy
Grafana provides the ability to create mixed queries using data from multiple data sources. For example, you can create mixed queries that use data from both Prometheus and InfluxDB. Public Dashboards is another feature of Grafana that allows users to share their dashboards with people outside their organization.
Vulnerabilities are tracked as CVE-2023-2801, exists in the way Grafana handles mixed queries. When Grafana receives a mixed query, it will try to query each data source in turn. However, Grafana can crash if the query is malformed. Specifically, sending API calls to /ds/query or public dashboard query endpoints containing mixed queries can crash your Grafana instance. Currently, the only feature within Grafana that uses mixed queries is public dashboards, but you can also run into this issue by calling the API directly.
Note: This vulnerability will be rated “High” by Grafana if Public Dashboards (PD) is enabled. Even with PD disabled, this vulnerability still poses a risk. However, to trigger the issue, you need read permissions on the data source and access to the Grafana API via developer scripts.
relief
- We strongly recommend upgrading to patched versions of Grafana (9.5.3, 9.4.12, 9.3.15, 9.2.19, and 8.5.26).
- Try to avoid using mixed queries in public dashboards.
CVE-2023-34409: PMM Authentication Bypass Vulnerability
Background
Percona Monitoring and Management (PMM) is an open source database monitoring and management tool such as MySQL, PostgreSQL, and MongoDB. Collect metrics from databases and hosts and display them in a web-based dashboard. PMM also includes features for troubleshooting, alerting, and performance optimization.
Vulnerability
This vulnerability is tracked as CVE-2023-34409is an authentication bypass vulnerability that exists in the way PMM handles authentication. All versions of PMM after 2.0.0 are assumed to be vulnerable.
In vulnerable versions of PMM, the authenticator removes segments of the URL until it finds a matching pattern in the ruleset. This function does not properly sanitize URL paths to reject path traversal attempts. This flaw could be exploited by an unauthenticated, remote attacker by sending a malformed URL to his PMM, bypassing authentication and accessing his PMM logs, resulting in sensitive information being exposed. It can be leaked or have privilege escalation.
relief
- We strongly recommend upgrading to the patched version of PMM ie2.37.1, especially if your PMM instance is directly accessible from the internet.