We at Nordic Defender, a leading cybersecurity firm based in Sweden, are pleased to share a real-world case study from our crowd-sourced penetration testing service. This case involves a previously unknown vulnerability (0-day) discovered in Grafana, a popular open-source analytics and visualization platform. Let’s explore how one of our talented pentesting champions identified the issue and how it was subsequently addressed by the Grafana community.
The Problem: Viewers with Unintended Access
Grafana utilizes a role-based permission system. Ideally, viewers, as the name suggests, should only be able to view dashboards, not edit them or access the queries that generate the data displayed. However, a Nordic Defender security researcher identified a vulnerability where viewers could access their past queries through the query history API endpoint.
Why This Matters?
While this vulnerability might not grant complete access to edit or create new queries, it can still expose sensitive information. Imagine a scenario where a user with editor permissions (allowing them to create and edit queries) is downgraded to a viewer role. In this case, the viewer could potentially access their past queries containing sensitive data through the query history API.
How did Nordic Defender Came Across the Vulnerability?
During a recent penetration test for a client, one of Nordic Defender’s pentest champions encountered an unexpected situation. They discovered that users with a “viewer” role could access past search queries through Grafana’s query history API. Recognizing this as a potential issue, the champion delved deeper to investigate. Their analysis revealed that the fault didn’t lie within the client’s infrastructure. Committed to resolving the matter, they initiated a conversation on the Grafana community forum to shed light on the situation.
Fortunately, the contributors from Grafana took the matter seriously and this discussion led to creating an issue on the Grafana GitHub repository.
The Grafana team acknowledged the issue and classified it as a security bug. A pull request was submitted to address the vulnerability. This pull request implemented a permissions check to ensure only users with proper access can retrieve query history data. The pull request was reviewed and merged, effectively patching the vulnerability.
Key Takeaways
This incident highlights several important takeaways.
- The Importance of Active Security Communities: As demonstrated here, collaboration between security experts and developers is crucial for promptly identifying and addressing vulnerabilities.
- The Power of Crowd-Sourced Testing: Our case study showcases the effectiveness of leveraging a global crowd of security experts to identify even previously unknown vulnerabilities.
- Continuous Testing is Paramount: Even established companies with active security initiatives can have hidden vulnerabilities. Regular penetration testing is essential to maintain a strong security posture.
Conclusion: Stay Secure!
As always, staying updated on security vulnerabilities and applying patches promptly is crucial. Keep an eye out for future blog posts where we delve deeper into security practices and exciting discoveries!