Report DIVD-2022-00002 - Grafana
Written on 22 Feb 2023 by Gerard Janssen
Case lead:
Tom Wolters
Researchers:
Diego Klinkhamer
,
Tom Wolters
Case file: DIVD-2022-00002
On December 2, Dutch security researcher Jordy Versmissen sent a report to Grafana Labs, a company that created a popular open source analytics tool. Versmissen found a zero-day vulnerability in Grafana Enterprise versions v8.0.0-beta1 to v8.3.0. An attacker could use a Directory Traversal Vulnerability to gain unauthorized access to local files.
The vulnerability was leaked on December 7. Proofs of concept (PoC) to exploit the bug are becoming available on Twitter and GitHub.
Grafana produced emergency releases and new releases after v8.3.0.
On January 9, the DIVD found 10,500 vulnerable bodies on Shodan. A scan on January 10 returned a list of 8,486 confirmed vulnerable systems. The owners of these systems have been notified.
A scan on February 6 found that 6571 were still vulnerable. The DIVD has sent a second series of reports.
On March 1, there were still 2180 vulnerable systems. This case was closed on November 7.
Timeline
| Date | Description |
|---|---|
| 03 Dec 2021 | Vulnerability reported to Grafana. |
| 07 Dec 2021 | Emergency patches released and full public release. |
| 10 Jan 2022 | DIVD created a list of vulnerable Grafana instances. |
| 18 Jan 2022 | First version of this case file. |
| 18 Jan 2022 | DIVD sent out a first batch of notifications. |
| 06 Feb 2022 | DIVD sent out a second batch of notifications. |
Links
https://csirt.divd.nl/cases/DIVD-2022-00002/
https://labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/
https://labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43798