Open ajakk opened 2 years ago
BrotherOfJhonny
commented
2 years ago The failure is not a path traversal, but a session control failure. When the traversal path is explored, the authentication system redirects to an internal system page that should only be accessed by authenticated users. This flaw was reported to security@grafana.com in April 2022.
ajakk
commented
2 years ago Are you saying the 404 page should only be accessible to authenticated users? Access to a 404 page does not sound like a security bug.
BrotherOfJhonny
commented
2 years ago I apologize if I'm not being clear and explaining. Don't just stick to the 404 message, if you look at the images you can see that that area of the system where 404 is displayed is an area that should be accessible only to authenticated users on the system. Even without a valid session, an unauthenticated user can navigate the system menus, that's what the images are showing.
ajakk
commented
2 years ago Can you crop your screenshots and share exactly what's being exposed that shouldn't be? I don't see what you're referring to in those images.
akincibor
commented
2 years ago This still work on the latest version 8.5.5.
BrotherOfJhonny
commented
2 years ago In the right corner are the system menus that are only listed for users after validating the data in the login form
in the image below it is showing that the menus are accessible, and this should only be possible for authenticated users. as I informed it is not a path transversion but a problem of unauthorized access to parts of the system.
akincibor
commented
2 years ago The thing is that even if you have access to the dashboard, you can't access the data because you are still not authorised. From my point of view, this is not a LFI or an authentication bypass.
ajakk
commented
2 years ago The thing is that even if you have access to the dashboard, you can't access the data because you are still not authorised. From my point of view, this is not a LFI or an authentication bypass.
That's exactly my point of view too. These menus being available to you is maybe a bug, but not a security issue. I think this is reflected by the fact that the reporter hasn't heard anything back from Grafana's security contacts. I'm going to dispute this with MITRE.
BrotherOfJhonny
commented
2 years ago I agree with you that it is not an LFI or path transversion, but as you said it is a flaw, because even without a valid session these features should not be accessible to unauthenticated users, this type of situation is recognized as a vulnerability by OWASP.
BrotherOfJhonny
commented
2 years ago As for the response from the grafana team, I have the history of all the team's responses. The fact that there is a flaw, I'm not saying it's serious, I'm just showing that it exists.
TheFrenchGhosty
commented
2 years ago This still work on the latest version 8.5.5.
Interested to know if it's real and really affects 8.5.5.
Edit: CVE-2022-32276 works on 8.5.5 (I don't have a setup ready to test CVE-2022-32275 )
TheFrenchGhosty
commented
2 years ago @ajakk This exposes stuff that shouldn't be exposed (like the software version). It's not that bad, sure, but it's still a security issue: this is an authentication bypass.
Blaklis
commented
2 years ago I mean, the menu is just printed by some piece of javascript code, no? That's only managed client side, true?
ajakk
commented
2 years ago @ajakk This exposes stuff that shouldn't be exposed (like the software version). It's not that bad, sure, but it's still a security issue: this is an authentication bypass.
The version is already on the login page. If I set hide_version=true in the config, I see it on neither the login page nor the error page you're calling an "authentication bypass". Again, it doesn't seem like there's any information on that page that would indicate an authentication bypass.
BrotherOfJhonny
commented
2 years ago Please don't take it personally, what I'm trying to do is just demonstrate a system failure. If this flaw you treat as a bug or vulnerability it doesn't matter the fact is that something is not working as expected. as you pointed out earlier this could be a BUG. and in my understanding bugs need to be fixed. Only that.
ajakk
commented
2 years ago I only discovered this because someone (presumably you, the author of this repository) requested CVEs. CVEs aren't to be used for bugs. They are to be used to track vulnerabilities. I've attempted to reproduce the issue you've described and so far haven't come up with anything that looks like a vulnerability. Please do not request CVEs when you think "something is not working as expected", that's not what they're for.
BrotherOfJhonny
commented
2 years ago I understand your point of view, but on the other hand as you can see in the history others may understand it as vulnerability, even OWASP itself defines this type of "failure" as vulnerability. I will follow your comments for the next CVE applications, but I maintain that this is a vulnerability even if low, still a vulnerability.
ajakk
commented
2 years ago For anyone following along, Grafana has made a blogpost about this:
Blaklis
commented
2 years ago I understand your point of view, but on the other hand as you can see in the history others may understand it as vulnerability, even OWASP itself defines this type of "failure" as vulnerability. I will follow your comments for the next CVE applications, but I maintain that this is a vulnerability even if low, still a vulnerability.
No, it's not a vulnerability. The fact that the menu is displaying is not a vulnerability - in fact, it's generated client side with some pieces of javascript. So even if it does not render - you can still reconstruct it from the javascript code. The same happens with the Grafana version - it's stored client side when Grafana is configuring to disclose its version number.
It's a UI deceptive bug, at most - but clearly not a security bug, not even a low one.
BrotherOfJhonny
commented
2 years ago Eu entendo seu ponto de vista, mas por outro lado como você pode ver no histórico outros podem entender isso como vulnerabilidade, até mesmo o próprio OWASP define esse tipo de "falha" como vulnerabilidade. Seguirei seus comentários para as próximas aplicações CVE, mas mantenho que esta é uma vulnerabilidade mesmo que baixa, ainda uma vulnerabilidade.
Não, não é uma vulnerabilidade. O fato de o menu estar sendo exibido não é uma vulnerabilidade - na verdade, é gerado do lado do cliente com alguns pedaços de javascript. Portanto, mesmo que não seja renderizado - você ainda pode reconstruí-lo a partir do código javascript. O mesmo acontece com a versão do Grafana - é armazenado no lado do cliente quando o Grafana está configurando para divulgar seu número de versão.
É um bug enganoso da interface do usuário, no máximo - mas claramente não é um bug de segurança, nem mesmo um bug baixo.
I've been trying to demonstrate that the vulnerability exists, but I believe you're just focusing on the thought, "no data has been accessed", and at no time have I described it. The vulnerability lies in the following points:
If the user tries to install plugins that add new features, even if the session does not return anything, the attacker will be able to see these features as they will be displayed in the side menus. Another point is that with the use of a web proxy (burpsuite, OWASP ZAP) an attacker can access these menus and perform a reconnaissance of the endpoints, even if it does not return data because it is not a valid session, the attacker will have a view of how they are performed. the calls and which endpoints.
This flaw could be categorized as A04:2021 Insecure_Design
Understand I'm trying to contribute to the security of the system.
Blaklis
commented
2 years ago Even if we try to see it like this, as I said, everything is generated client-side. There's no specific additionnal reconnaissance that is done through your way - in fact, you can just browse the javascript to get endpoints, and this is clearly intended as Grafana is developed as a single page application.
If you install any plugin, and that plugin injects its data in the frontend, it is also intended that it can be retrieved in the javascript files too.
This is NOT an insecure design - in fact, being able to list endpoints is not a problem, nor an insecure design. This is intended.
BrotherOfJhonny
commented
2 years ago I really understand the impact that a cve can have on the business and the credibility of the system, but I can see that we have different views of security in my understanding an unauthenticated user being able to "List endpoints" is a security flaw. But as I said, I understand your position, so I leave the evaluation of this CVE to the mitre.
And I inform you that I will not contribute with further research on your system.
Blaklis
commented
2 years ago Note that I'm not part nor affiliated to Grafana.
We definitely have different views on security, yes. Being able to list endpoints but not being able to access it is nowhere near of a vulnerability - or you'll find a lot of vulnerabilities in every single-page apps that are using javascript to routes / make API calls.
Note that MITRE might accept your CVE - they do not evaluate vulnerabilities as far as I know (but I might be wrong) - Grafana will need to dispute it to make it clear that there is no vulnerability according to them. That's how it works, generally.
End of discussion for me!
Wish you the best, Blaklis
BrotherOfJhonny
commented
2 years ago Just for information, the failure pointed out generated task 53051 (https://github.com/grafana/grafana/pull/53051) which was completed by the grafana team and ended on 08/01/2022
Have these issues been reported upstream? Have you tested them against the latest grafana (8.5.4/7.5.16) or straight from Git?