Application Security , Breach Notification , Incident & Breach Response
Grafana Releases Emergency Patch for Zero-Day FlawSecurity Researcher Tweeted About Flaw Before Patch Was Released
Open-source analytics and interactive visualization solutions provider Grafana Labs has released an emergency security update to patch a high-severity zero-day vulnerability on its dashboard.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The path traversal vulnerability, discovered by independent security researcher Jordy Versmissen, allows attackers to access folders and files beyond the Grafana application server's root folder, the report says.
The flaw, tracked as CVE-2021-43798 with a CVSS v3 score of 7.5, affects Grafana versions 8.0.0-beta1 through 8.3.0, according to the report.
The platform is used by more than 1,500 customers and has more than 800,000 active installations to monitor and aggregate logs and other parameters from their local or remote networks.
Versmissen says he informed the Grafana security team about the bug on Dec. 2. On the same day, he posted his discovery on Twitter - a tweet the company says it was not aware of until Dec. 7. On Dec. 3, Grafana researchers devised a fix and planned to release it to private customers on Dec. 7 and announce it publicly on Dec.14.
But Versmissen tells Information Security Media Group that before Grafana could release the fix, he was contacted by an individual on Twitter who informed him that someone else had also found the bug and published a POC online.
Versmissen has since deleted the tweet.
"This was never my intention. I was a bit too excited about my find, so published a tweet that I found a vulnerability that reads files on the host in Grafana. Although I only had 200 followers at the time, it got picked up by a lot of researchers. Within no time, I found full blog posts about all the technical details about a bug that just was reported to Grafana," Versmissen says.
"The Grafana team fixed the problem within a day but had to speed up the release process after it became a zero-day," he says. "Lessons learned: Never underestimate the power of social media, and control my excitement."
On Dec. 7, Grafana released patched versions 8.3.1, 8.2.7, 8.1.8, and 8.0.7 and said that its cloud instances had not been affected by the flaw.
Not the First Time
This wasn't the first time that disclosing the existence of a vulnerability led to other researchers independently finding and weaponizing it, says Jake Williams, formerly a member of the U.S. National Security Agency's elite hacking team.
"This is what happened a few years ago with BadLock, an SMB vulnerability that was orders of magnitude more complex," he says. p>
Williams, who is CTO of cybersecurity firm BreachQuest, tells ISMG that path traversals are pretty easy to find.
Once people knew what to look for, they did so quickly, says Richard Hartmann, community director at Grafana, in a blog post.
"We had to build an impressive amount of release artifacts in a rather short amount of time - eight releases, four private and four public ones, multiplied by all the platforms and deployment models we support. In total, we ended up releasing dozens and dozens of full artifacts within mere hours. Plus, we had some build failures during release," he says.
"We will have a release engineering sprint within the next few weeks to allow us to seamlessly build private releases and to massively speed up overall release build speed," Hartmann says.
Bug Bounty Programs
Hartmann says Grafana is looking to incentivize vulnerability reporting with a formal bug bounty program.
In addition to informing Grafana of the vulnerability, Versmissen says he submitted the vulnerability to an undisclosed bug bounty program, and the company says it received a report of that on Dec. 6.
"If we had it [the bug bounty program] in place by last Friday, we would not have inadvertently created an incentive for Jordy to submit to other third parties," Hartmann says.
While the bug bounty program would help with the identification and reporting of vulnerabilities, it shouldn’t replace the requirement for ongoing penetration tests, says James Pickard, security testing manager at GRC International Group, which provides IT governance, risk management and compliance solutions.