[CVE-2020-13379] Unauthenticated DoS on Grafana 3.0.1 - 7.0.1

Researchers:

Mayank Malik ([email protected])

Kartik Sharma ([email protected])

Severity: Medium

Version: 3.0.1 to 7.0.1

Vulnerable Endpoint: http://<grafanaHost>/avatar/*

Overview

Grafana is the open-source analytics & monitoring solution for every database. According to Grafana’s patch notes dated June 3rd, 2020, there was an “Incorrect Access Control” vulnerability in Grafana 3.0.1 through Grafana 7.0.1 on the /avatar feature through which an attacker/adversary was able to perform Server Side Request Forgery (SSRF) attack.

We came to know about this vulnerability and created a lab for reproducing the same impact.

Environment for testing:

Docker Image grafana/grafana:5.3.2

Testing

1. During our testing, a certain kind of payload that looked similar to an SSTI payload when appended to the endpoint resulted in a SegFault in Grafana’s backend, crashing the primary application permanently.

2. Working PoC

3. The payload used in above PoC is URL encoded string {{printf "%s" "this.Url"}}, appended to /avatar/.

4. The complete malicious URL looks like

http://grafanaserver/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D

5. A GET HTTP request to the above URL will crash the backend application with the SEGFAULT, shutting down the Grafana application completely. The attacker doesn’t require any authentication to perform the attack.

Request:

Response:

Backend:

Conclusion

Impact:

This vulnerability results in complete crashing of the grafana-server application resulting a Denial of Service (DoS) attack scenario.