About the vulnerability
The Grafana is an open-source platform for observability and monitoring used to manage various tasks. Some of its older versions, which start with 9.2.0 and below 9.2.4, have a race condition in the authentication middleware logic that allows an unauthenticated user to query an administration endpoint under a heavy load. This issue is patched in 9.2.4. Updating to the patched version is the only solution, as there are no known workarounds.
According to the Grafana Security release,
“An internal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. A race condition in the HTTP context creation could result in an HTTP request being assigned another call’s authentication/authorization middleware. Under heavy load, it is possible that a call protected by a privileged middleware receives the middleware of a public query instead. As a result, an unauthenticated user can successfully query protected endpoints. CVSS score for this vulnerability is 9.8 Critical.”
Later, the severity of this vulnerability was reduced to HIGH with an 8.1 CVSS Score.
Impact
Unauthenticated users can query endpoints with malicious intent.
Grafana Labs released a security advisory stating that this vulnerability allows attackers to bypass the authorization process on arbitrary service endpoints.
Remediation
Version 9.2.4 of Grafana was published as a fix.
How SentinelOne can help
SentinelOne supercharges your cloud security by identifying critical vulnerabilities, misconfigurations, and enforces strong access controls for containerized workloads. Singularity enables runtime detection, cloud VM and container scanning, and employs agentless vulnerability management to minimize attack surfaces and maximize protection.
SentinelOne’s advanced cloud security platform enables you to stay on top of the latest zero-day attacks and improve your security posture across multi-cloud & hybrid environments. Sign up for a personalized demo to learn more.