CVE-2020-12459:Grafana 6.x through 6.3.6 in certain Red Hat packages exposes sensitive configuration files with improper permissions.

splash
Back

Description Preview

In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml are world readable. These files contain sensitive information including a secret_key and a bind_password, which could allow local users to gain unauthorized access to credentials and potentially compromise the Grafana instance or connected systems.

Overview

This vulnerability (CVE-2020-12459) affects Grafana versions 6.x through 6.3.6 when installed through certain Red Hat packages. The issue stems from incorrect file permissions that make critical configuration files readable by any user on the system. The affected files (/etc/grafana/grafana.ini and /etc/grafana/ldap.toml) contain sensitive information such as secret keys and LDAP bind passwords. This represents a CWE-732 vulnerability (Incorrect Permission Assignment for Critical Resource), allowing unauthorized access to authentication credentials and sensitive configuration data. Any local user on the affected system could potentially view these credentials, which might be used to access Grafana with elevated privileges or to compromise connected systems.

Remediation

To remediate this vulnerability, system administrators should:

  1. Update Grafana to a patched version through your package manager.
  2. For Fedora users, apply the updates mentioned in the referenced advisories (FEDORA-2020-d109a1d1d9 and FEDORA-2020-c6b0c7ebbb).
  3. If immediate updates are not possible, manually correct the file permissions:
    • Change permissions on /etc/grafana/grafana.ini and /etc/grafana/ldap.toml to be readable only by the grafana user and group: chmod 640 /etc/grafana/grafana.ini /etc/grafana/ldap.toml
    • Ensure proper ownership: chown grafana:grafana /etc/grafana/grafana.ini /etc/grafana/ldap.toml
  4. After applying fixes, consider rotating any exposed secrets, including the secret_key and LDAP bind passwords.
  5. Audit your system for any unauthorized access that might have occurred while the vulnerability was present.

References

  1. Red Hat Security Advisory: https://access.redhat.com/security/cve/CVE-2020-12459
  2. Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1829724
  3. Grafana GitHub Issue: https://github.com/grafana/grafana/issues/8283
  4. Fedora Package Announcement: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS/
  5. Fedora Package Announcement: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A/
  6. NetApp Security Advisory: https://security.netapp.com/advisory/ntap-20200518-0004/
  7. Fedora Patch: https://src.fedoraproject.org/rpms/grafana/c/fab93d67363eb0a9678d9faf160cc88237f26277

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Educational Services
    Educational Services
  3. Management of Companies & Enterprises
    Management of Companies & Enterprises
  4. Other Services (except Public Administration)
    Other Services (except Public Administration)
  5. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  6. Transportation & Warehousing
    Transportation & Warehousing
  7. Accommodation & Food Services
    Accommodation & Food Services
  8. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  9. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  10. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  11. Construction
    Construction
  12. Finance and Insurance
    Finance and Insurance
  13. Health Care & Social Assistance
    Health Care & Social Assistance
  14. Information
    Information
  15. Mining
    Mining
  16. Public Administration
    Public Administration
  17. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  18. Retail Trade
    Retail Trade
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database