CVE-2022-32275 and CVE-2022-32276 Detection of Exploitation Attempts: New Vulnerabilities Affecting Grafana

Steel yourself for new vulnerabilities revealed in the open-source observability platform leveraged by millions of users from across the globe, which in 2021 was in the spotlight in the cyber threat arena due to a notorious CVE-2021-43798 zero-day flaw actively exploited in the wild. Grafana, the open-source analytics and monitoring platform leveraged by global organizations for metrics collection and real-time data visualization is potentially exposed to a new wave of attacks due to recently discovered vulnerabilities tracked as CVE-2022-32275 and CVE-2022-32276. These vulnerabilities are known to affect mainly the Grafana 8.4.3 version.  

Detect CVE-2022-32275 and CVE-2022-32276 Exploitation Attempts

With a growing trend for the use of open-source web-based solutions, organizations are exposed to increased security risks in terms of potential cyber-attacks that are constantly expanding in their scope and impact. To help organizations reinforce their cyber defense capabilities and timely detect the exploitation attempts of CVE-2022-32275 and CVE-2022-32276 vulnerabilities affecting Grafana, SOC Prime Team has recently released a dedicated Sigma rule:

Possible CVE-2022-32275/CVE-2022-32276 Exploitation Attempt (via webserver)

This detection rule is compatible with 15 security and analytics platforms and aligned with the MITRE ATT&CK® framework addressing the Initial Access tactic represented by the Exploit Public-Facing Application technique (T1190). Moreover, cybersecurity practitioners can also instantly hunt for these latest Grafana-related threats using Quick Hunt powered by SOC Prime’s platform. 

To reach the entire list of Sigma rules to detect cyber threats related to the Grafana environment, click the Detect & Hunt button below. Threat Hunters, Detection Engineers, and other InfoSec practitioners can also instantly boost threat investigation by making the most of SOC Prime’s cyber threats search engine enabling them to explore comprehensive threat context enriched with MITRE ATT&CK reference, CTI, and most relevant metadata.

Detect & Hunt Explore Threat Context

CVE-2022-32276/CVE-2022-32275 Description

The vulnerability identified as CVE-2022-32276 impacting Grafana 8.4.3 version enables its exploitation by sending a false request for a snapshot query with a random ID value, thus providing unauthenticated access to the system. 

Another disclosed Grafana flaw tracked as CVE-2022-32275 enables unauthenticated access to the system due to a session control issue by redirecting an unauthenticated user to the internal system page. Successful exploitation of the above-mentioned vulnerabilities enables attackers to view hidden files that normally can be accessed only by authenticated users.

Notably, both vulnerabilities have been assessed by Grafana Labs as non-security UI-related issues, which, according to researchers, needs improvements only from the user experience perspective. Still, to protect the system against potential cyber-attacks weaponizing these Grafana vulnerabilities, Grafana users are recommended to update their application to the latest version.

Join SOC Prime’s Detection as Code platform to boost the effectiveness of your security operations while saving time and costs on routine tasks. Hunt for the latest threats within one click, obtain instant access to the largest Sigma rules library, automate your content management operations, and keep track of your threat detection efforts in a single place! Eager to create your own Sigma rules and enhance collaborative cyber defense efforts? Join our Threat Bounty Program!