[TheRecord] Grafana releases security patch after exploit for severe bug goes public

Grafana Labs has released an emergency security update today to patch a critical vulnerability after security researchers released proof-of-concept code to exploit the issue over the weekend.

The vulnerability, tracked as CVE-2021-43798, impacts the company’s main product, the Grafana dashboard, used by companies across the globe to monitor and aggregate logs and other parameters from across their local or remote networks.

Described as a path traversal attack, the vulnerability can allow an attacker to read files outside the Grafana application’s folder.

For example, an attacker can abuse Grafana plugin URLs to escape the Grafana app folder and gain access to files stored on the underlying server, such as files storing passwords and configuration settings—details that the attacker could weaponize in subsequent attacks.

All Grafana self-hosted servers running 8.x versions of the software are considered vulnerable.

The issue was patched today with the release of Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7. In its patch notes, Grafana Labs said that its cloud-hosted Grafana dashboards were not impacted by this vulnerability, which benefited from additional security protections.

Earlier today, The Record learned of such code being shared on Twitter and GitHub. We reached out to the company, which released a security update a few hours later.

Grafana did say in its statement that it was aware of the issue since last week, when it initially received a bug report, but was eventually forced into releasing an emergency patch earlier today after proof-of-concept code to exploit the bug was published online.

Several security researchers also claimed online today that the issue was being actively exploited in real-world attacks, but it was unclear if the exploitation was being done by bug bounty hunters or by malicious entities.

The Record could not confirm the nature of these exploitation attempts with independent third parties. There are currently between 3,000 and 5,000 Grafana servers exposed online, almost all exclusively used to monitor large corporate networks.

The post Grafana releases security patch after exploit for severe bug goes public appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ThreatPost] McDonald’s Email Blast Includes Password to Monopoly Game Database

All posts, ThreatPost

Usernames, passwords for database sent in prize redemption emails. Source: Read More (Threatpost)

Read More

[ZDNet] Time to update your iPhone as Apple fixes ‘actively exploited’ zero day flaw

All posts, ZDNet

Apple has an iOS and macOS update to plug a zero day flaw that attackers could already be using. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ZDNet] Crowdstrike beats Q2 estimates with strong subscription growth

All posts, ZDNet

Subscription revenue was up 71% while the cybersecurity company saw its total number of subscription customers grow by 81% Source: Read More (Latest topics for ZDNet in Security)

Read More