Detecting Grafana Zero-Day Vulnerability (CVE-2021-43798)

December 08, 2021 · 3 min read

Brace yourself for the new zero-day vulnerability exploited in the wild. A recently-disclosed flaw affects Grafana, multi-platform open source analytics and interactive visualization app used by organizations globally to track and understand the metrics of their data. After the vulnerability details were occasionally leaked online, the multitude of proof-of-concept exploits spread over Twitter and GitHub, forcing Grafana to release an emergency patch on December 7, 2021. 

CVE-2021-43798 Description

The vulnerability, rated high-severity, is a path traversal issue impacting the Grafana dashboard. If successfully exploited, the flaw enables an attacker to navigate outside the Grafana application folder and read files located in restricted locations. For instance, adversaries can escape the app folder by abusing Grafana plugin URLs to reach the sensitive data stored on the underlying server, including passwords and configuration settings. 

All Grafana self-hosted servers running v8.0.0-beta1 through v8.3.0 were found vulnerable. The cloud-hosted Grafana dashboards are claimed to be safe due to the additional security protections. 

The vulnerability was privately reported to Grafana Labs on December 3, 2021, and the vendor came up with the patch promptly. The internal release was planned for December 7, 2021, with the public one scheduled for December 14, 2021. Yet, the details of Grafana zero-day leaked online, triggering the avalanche of PoC exploits. In a view of the increased risk of attacks, the vendor urgently released Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7 versions patched against CVE-2021-43798. 

Currently, security researchers report about 3,000 to 5,000 Grafana servers being exposed to attacks. The majority of them are used to monitor large corporate networks.

CVE-2021-43798 Detection and Mitigation

Grafana Labs has issued an advisory providing the details of the zero-day vulnerability and recommendations on how to mitigate possible risks if users cannot upgrade ASAP. 

To help organizations better protect their infrastructure, the SOC Prime Team has recently developed the dedicated Sigma-based rule allowing security professionals to discover Grafana LFI exploitation attempts. Security teams can download the rule from SOC Prime’s Detection as Code platform:

Unauth Grafana Arbitrary File Reading Vulnerability [CVE-2021-43798] (via web)

This detection has translations for the following SIEM, EDR & XDR platforms: Azure Sentinel, Splunk, Chronicle Security, ELK Stack, Sumo Logic, ArcSight, QRadar, Humio, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Apache Kafka ksqlDB, Securonix, and Open Distro.

The rule is aligned with the latest MITRE ATT&CK® framework v.10 addressing the Initial Access tactic with Exploit Public-Facing Application as the main technique (T1190).

Join SOC Prime’s Detection as Code platform for free to search for the latest threats in your SIEM or XDR environment, improve your threat coverage by reaching the most relevant content aligned with the MITRE ATT&CK matrix, and overall, boost the organization’s cyber defense capabilities. Are you a content author? Tap into the power of the world’s largest cyber defense community by joining the SOC Prime Threat Bounty program, where researchers can monetize their own detection content.

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts