Bug 1843640 (CVE-2020-13379) - CVE-2020-13379 grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL
Summary: CVE-2020-13379 grafana: SSRF incorrect access control vulnerability allows un...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-13379
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1843777 1843964 1847260 1847261 1847262 1847263 1847459 1843642 1843778 1847310 1847519 1847520 1847521 1847543 1847552
Blocks: 1843641
TreeView+ depends on / blocked
 
Reported: 2020-06-03 17:20 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-07-07 19:33 UTC (History)
27 users (show)

Fixed In Version: grafana 7.0.2, grafana 6.7.4
Doc Type: If docs needed, set a value
Doc Text:
An SSRF incorrect access control vulnerability was found in Grafana regarding the avatar feature, allowing any unauthenticated user or client to make Grafana send HTTP requests to any URL and then return its result to the user or client. Additionally, the same issue can create a NULL pointer dereference vulnerability. This flaw allows an attacker to gain information about the network that Grafana is running on, or cause a segmentation fault, resulting in a denial of service.
Clone Of:
Environment:
Last Closed: 2020-06-22 11:20:25 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2641 None None None 2020-06-22 07:20:29 UTC
Red Hat Product Errata RHSA-2020:2676 None None None 2020-06-23 13:11:10 UTC
Red Hat Product Errata RHSA-2020:2792 None None None 2020-07-06 20:11:35 UTC
Red Hat Product Errata RHSA-2020:2796 None None None 2020-07-01 18:46:04 UTC
Red Hat Product Errata RHSA-2020:2861 None None None 2020-07-07 19:33:38 UTC

Description Guilherme de Almeida Suckevicz 2020-06-03 17:20:27 UTC
An SSRF incorrect access control vulnerability was found in Grafana regarding the avatar feature, allowing any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on.

Reference:
https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/

Comment 1 Guilherme de Almeida Suckevicz 2020-06-03 17:23:45 UTC
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 1843642]

Comment 3 Mark Cooper 2020-06-04 06:06:20 UTC
OpenShift packages a vulnerable version of grafana:
  - OpenShift 3.11 grafana v5.2.3
  - OpenShift 4.x  grafana v6.4.3

ServiceMesh also packages a vulnerable version:
  - ServiceMesh 1.0.x grafana v6.4.3
  - ServiceMesh 1.1.x grafana v6.2.2

Comment 11 Mark Cooper 2020-06-15 01:41:32 UTC
Additionally, this vulnerability can result in a remote DoS of the service as confirmed by upstream grafana: https://www.openwall.com/lists/oss-security/2020/06/09/2/

It's the same vulnerability, i.e. not validating the /avatar/*md5* without authentication, just different result. 

Raising the impact to Important (updated CVSS), as this is now essentially a remote DoS with no authentication required. 

Have increased OpenShift and Service to Moderate, as although they are still protected via the OAuth wall any pod on the cluster network can send to this URL and perform the SSRF or now DoS.

Comment 21 RaTasha Tillery-Smith 2020-06-18 17:43:29 UTC
Statement:

In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the Grafana containers are behind OpenShift OAuth restricting access to the vulnerable path to authenticated users only. However, other pods may still access the vulnerable URL within the cluster. Therefore the impact is moderate for both (OCP and OSSM).

Comment 22 RaTasha Tillery-Smith 2020-06-18 17:44:24 UTC
Mitigation:

This issue can be mitigated by blocking access to the URL path /avatar/*, through a method such as a reverse proxy, load balancer, application firewall etc.

Comment 23 errata-xmlrpc 2020-06-22 07:20:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2641 https://access.redhat.com/errata/RHSA-2020:2641

Comment 24 Product Security DevOps Team 2020-06-22 11:20:25 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13379

Comment 25 errata-xmlrpc 2020-06-23 13:11:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2676 https://access.redhat.com/errata/RHSA-2020:2676

Comment 27 errata-xmlrpc 2020-07-01 18:46:01 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:2796 https://access.redhat.com/errata/RHSA-2020:2796

Comment 28 errata-xmlrpc 2020-07-06 20:11:32 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2792 https://access.redhat.com/errata/RHSA-2020:2792

Comment 29 errata-xmlrpc 2020-07-07 19:33:36 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.0

Via RHSA-2020:2861 https://access.redhat.com/errata/RHSA-2020:2861


Note You need to log in before you can comment on or make changes to this bug.