====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN314
_____________________________________________________________________

DATE                : 08/06/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Grafana versions prior to 6.7.4,
                                          7.0.2.

=====================================================================
https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/
_____________________________________________________________________

Grafana 6.7.4 and 7.0.2 released with important security fix
Published: 3 Jun 2020


Today we are releasing Grafana 6.7.4 and 7.0.2. These patch releases
include an important security fix for an issue that affects all Grafana
versions from 3.0.1 to 7.0.1.

    Notice: 2020-06-04 06:21 UTC we removed the part of the timeline
that indicated that this is an RCE vulnerability. While SSRF can be very
similar to RCE, this exploit does not enable the attacker to execute any
code beyond creating the request.

- Categorized as a HIGH risk vulnerability because it’s a remote code
execution (RCE) vulnerability that affects all Grafana instances[...]

+ Categorized as a HIGH risk vulnerability because it’s a SSRF without
authentication requirement that affects all Grafana instances[...]


Latest stable release in 7.x:

    Download Grafana 7.0.2
    Release notes

Latest stable release in 6.x:

    Download Grafana 6.7.4
    Release notes


Incorrect access control vulnerability (CVE-2020-13379)

We received a security report to security@grafana.com on May 14, 2020,
about a vulnerability in Grafana regarding the avatar feature. It was
later identified as affecting Grafana versions from 3.0.1 to 7.0.1.
CVE-2020-13379 has been assigned to this vulnerability.

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect
Access Control issue. This vulnerability allows any unauthenticated
user/client to make Grafana send HTTP requests to any URL and return its
result to the user/client. This can be used to gain information about
the network that Grafana is running on.

If for some reason you cannot upgrade, the impact can be mitigated by
blocking access to the avatar feature by blocking the /avatar/* URL via
a web application firewall, load balancer, reverse proxy, or similar. It
can also be mitigated by restricting access to Grafana.


Affected versions

Grafana releases 3.0.1 through 7.0.1


Patched versions

7.x and 6.7.x


Solutions and mitigations

Download and install the appropriate patch for your version of Grafana.

Grafana Cloud instances have already been patched, and Grafana
Enterprise customers were provided with updated binaries, under embargo,
on May 27.


Timeline and postmortem

Here is a detailed timeline starting from when we originally learned of
the issue. All times in UTC.

May 14, 2020

    14:10: Received vulnerability report sent to security@grafana.com by
Justin Gardner @rhynorater.
    22:15: Escalated to Grafana devs who decrypted the message.

May 15, 2020

    13:21: Report confirmed valid; the issue could be reproduced on
Grafana v3.0.1 to v7.0.1. Categorized as a HIGH risk vulnerability
because it’s a SSRF without authentication requirement that affects all
Grafana instances, especially those that are exposed to the internet,
since anyone who can access the Grafana instance can exploit this
vulnerability.


    14:30: A release plan was established.

May 19, 2020

    15:03: Marcus Efraimsson (@marefr) started working on a fix for the
vulnerability in a private mirror.
    15:33: Responded to the reporter with confirmation and some notes
about what is going to happen next.

May 20, 2020

    13:55: Requested a new CVE ID for the vulnerability.

May 22, 2020

    08:03: Confirmation that CVE-2020-13379 has been reserved.

May 27, 2020

    10:34: Built 7.0.2 with a fix for the vulnerability from our private
mirror.
    15:40: Built 6.7.4 with a fix for the vulnerability from our private
mirror.

May 28, 2020

    08:00: Proactively provided Grafana Enterprise customers and
partners with details and links to patched versions under embargo.
    08:00: Started rolling out patched versions to Grafana Cloud.

June 3, 2020

    12:00: Released 7.0.2 and 6.7.4 on grafana.com
    12:00: Published this blog post
    12:00: The patch will be merged from our private mirror into Grafana
master.


Reporting security issues

If you think you have found a security vulnerability, please send a
report to security@grafana.com. This address can be used for all of
Grafana Labs’s open source and commercial products (including but not
limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com).
We only accept vulnerability reports at this address. We would prefer
that you encrypt your message to us using our PGP key. The key
fingerprint is:

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keys.gnupg.net by searching for
[security@grafana](http://keys.gnupg.net/pks/lookup?search=security@grafana&fingerprint=on&op=index.
Security announcements


We maintain a category on the community site named Security
Announcements, where we will post a summary, remediation, and mitigation
details for any patch containing security fixes. You can also subscribe
to email updates to this category if you have a grafana.com account and
sign in to the community site, or via updates from our Security
Announcements RSS feed.


Conclusion

If you run a Grafana instance from version 3.0.1 to 7.0.1, please
upgrade to Grafana 6.7.4 or 7.0.2 as soon as possible.



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================