Linode Safety Digest June 12-June 19, 2023

0
174


On this week’s digest, we’ll talk about the next:

  • Hashicorp Vault Cross-site Scripting Vulnerability
  • Grafana Entry Management and Race Situation Vulnerabilities
  • PMM Authentication Bypass Vulnerability
CVE-2023-2121: Hashicorp Vault Cross-site Scripting Vulnerability

Background

Hashicorp Vault is an open supply software designed to retailer and handle delicate information in fashionable IT environments securely. It acts as a centralized secret administration answer, offering a safe strategy to retailer and entry passwords, API keys, certificates, and different forms of secrets and techniques. Vault makes use of a mix of encryption, entry management insurance policies, and auditing capabilities to guard delicate info. Vault Enterprise is the business model of HashiCorp Vault. It offers extra options and assist tailor-made for enterprise-scale deployments.

Vulnerability

The vulnerability, tracked as CVE-2023-2121, is an injection vulnerability that permits HTML injection into the Vault Net UI by way of key values. The affected merchandise embrace Vault and Vault Enterprise since 1.10.0.

Vault 1.10.0 launched the power to simply evaluation the distinction between two revisions of kv-v2 (KV Secrets and techniques Engine) key-value secrets and techniques in Vault’s internet UI.

A consumer with write privileges to a kv-v2 secrets and techniques engine mount may present a string that may be incorrectly sanitized and rendered as uncooked HTML by Vault’s internet UI, resulting in an HTML injection.

By default, Vault’s Content material Safety Coverage prevents the execution of inline JavaScript, subsequently stopping publicity to cross-site-scripting through this vector. Vault makes use of three essential mechanisms for stopping cross-site scripting; robust typing and enter validation on the backend, framework-provided output encoding on the frontend, and a restrictive, customizable content material safety coverage that features script-src ‘self’ by default.

It ought to be famous that the affect of this vulnerability is low since an attacker wants write privileges to a kv-v2 secrets and techniques engine so as to inject payloads.

Mitigation

  • Upgrading to the patched model of Vault i.e. 1.14.0, 1.13.3, 1.12.7, and 1.11.11, is extremely advisable.
Grafana Entry Management and Race Situation Vulnerabilities

Background

Grafana is an open-source analytics and interactive visualization internet utility. It offers charts, graphs, and alerts for the net when linked to supported information sources. Grafana is a well-liked software for monitoring and visualizing metrics from numerous sources, together with Prometheus, InfluxDB, Graphite, and Elasticsearch. It may also be used to create dashboards that show information from a number of sources in a single view.

Vulnerabilities

Grafana variations  9.5 > 9.5.3, 9.4 > 9.4.12, 9.3 > 9.3.15, 9.0 > 9.2.19 and eight.0 > 8.5.26 have a number of vulnerabilities, which we’ll cowl.

CVE-2023-2183: Damaged Entry Management

Grafana gives the performance to ship alerts through the API or the Net UI consumer panel.

This vulnerability, tracked as CVE-2023-2183, permits an attacker within the Viewer function to ship alerts by the API Alert-Take a look at Perform.This concern happens as a result of the API doesn’t test entry of the consumer to the API alert perform. The vulnerability might be seen being abused on this POC.

One level to be famous right here is that this selection will not be out there within the consumer panel UI for the Viewer function, solely through the API.

This vulnerability allows malicious customers to abuse the performance by sending a number of alert messages through e-mail, Slack, and different platforms; spamming customers; getting ready phishing assaults or blocking SMTP server / IP; or mechanically shifting all messages to a spam folder or including them to a black record IP.

Mitigation

  • Upgrading to the patched variations of Grafana i.e., 9.5.3, 9.4.12, 9.3.15, 9.2.19, and eight.5.26, is extremely advisable.
  • To stop spamming through e-mail, contemplate making adjustments to the SMTP server configuration settings by limiting the power to ship a number of emails to the identical e-mail handle per unit time/threshold.

CVE-2023-2801: DS Proxy Race Situation

Grafana gives the performance to create blended queries through the use of information from a number of information sources. ​​For instance, you may create a blended question that makes use of information from each Prometheus and InfluxDB. Public Dashboards is one other characteristic in Grafana that permits customers to share dashboards with anybody exterior your group.

The vulnerability, tracked as CVE-2023-2801, exists in the best way Grafana handles blended queries. When Grafana receives a blended question, it tries to execute the question in opposition to every information supply in flip. Nonetheless, if the question is malformed, this could trigger Grafana to crash. Extra particularly, if you happen to ship an API name to the /ds/question or a public dashboard question endpoint that has blended queries, you’ll be able to crash your Grafana occasion. The one characteristic that makes use of blended queries inside Grafana proper now’s Public Dashboards, however it’s also attainable to trigger this concern by calling the API straight.

NOTE: In case you have Public Dashboards(PD) enabled, this vulnerability is rated as Excessive by Grafana. Even you probably have disabled PD, this vulnerability nonetheless poses threat. Nonetheless, triggering the difficulty requires information supply learn privileges and entry to the Grafana API by way of a developer script.

Mitigation

  • Upgrading to the patched variations of Grafana i.e., 9.5.3, 9.4.12, 9.3.15, 9.2.19, and eight.5.26, is extremely advisable.
  • Attempt to keep away from utilizing blended queries with Public Dashboards.

CVE-2023-34409: PMM Authentication Bypass Vulnerability

Background

Percona Monitoring and Administration (PMM) is a monitoring and administration software for open supply databases, together with MySQL, PostgreSQL, and MongoDB. It collects metrics out of your databases and hosts and shows them in a web-based dashboard. PMM additionally contains options for troubleshooting, alerting, and efficiency optimization.

Vulnerability

This vulnerability, tracked as CVE-2023-34409, is an authentication bypass vulnerability that exists in the best way PMM handles authentication. All variations of PMM beginning with 2.0.0 are assumed to be weak.

Within the weak variations of PMM, the authentication perform would strip segments of the URL till it discovered an identical sample in its ruleset. The perform doesn’t correctly sanitize URL paths to reject path traversal makes an attempt. This flaw may very well be exploited by an unauthenticated distant attacker by feeding a malformed URL to PMM, which might bypass authentication and entry PMM logs ensuing within the disclosure of delicate info and potential escalation of privileges. 

Mitigation

  • Upgrading to the patched variations of PMM i.e.2.37.1 is extremely advisable, notably if the PMM occasion is accessible straight from the web.

LEAVE A REPLY

Please enter your comment!
Please enter your name here