CVE-2021-43798 - Directory Transversal on Grafana
Description
[02/02/2022 - 10:01] Ticket raised by Red Team notifying k8saas about a critical vulnerability on Grafana.
[02/02/2022 - 10:41] Lacking of information about the vulnerability, we've decided to stop the dashboarding service of our Observability Stack.
[02/02/2022 - 12:19] All dashboarding services are stopped for all k8saas perimeters.
[02/02/2022 - 12:54] A patch is submitted to Trustnest Red Team.
[02/02/2022 - 13:02] Trustnest Red Team has confirmed the fix.
[02/02/2022 - 13:43] Releasing hot fix, and decision to apply it on the k8saas production to re-establish the dashboarding service.
Analysis
What is a directory transversal ?
Impact
Grafana is the software used to provide the dashboarding service. The version used before the incident was: 8.1.5 from 21 September 2021 The vulnerability can be exploited by an attacker to get access to any files on the container.
On this container:
- there is only 2 days of metrics
- only the metrics of your cluster are stored on this container. There is no data from other clusters
- Grafana has the credentials of a per k8saas cluster azure app registration to use the SSO.
Note: a kubernetes policy is deployed on any k8saas to avoid any right escalation to aks nodes.
At this stage, all the data stored on this container is not sensitive or confidential.
Next investigations
- Check on the logs to look at potential data leakage
- Upgrade in progress on production