Headline
CVE-2022-30331: TigerGraph: UDF Vulnerability
** DISPUTED ** The User-Defined Functions (UDF) feature in TigerGraph 3.6.0 allows installation of a query (in the GSQL query language) without proper validation. Consequently, an attacker can execute arbitrary C++ code. NOTE: the vendor’s position is “GSQL was behaving as expected.”
The TigerGraph platform provides the facility for users to remotely upload user-defined functions as C++ source code, which are then automatically compiled and installed into sensitive system components. Due to a lack of safeguards, this process can be exploited by an attacker to circumvent the majority of TigerGraph’s security mechanisms.
Background
We have discovered a critical CVE (Common Vulnerabilities and Exposures) in the TigerGraph product suite. The details have not been publicly disclosed for the last three months to allow sufficient time for TigerGraph to fix the vulnerability and reinforce their security before the details of the CVE became public.
The CVE shows there are insufficient safeguards in the GSQL query language to protect the system from malicious or just erroneous user-supplied C++ code. The CVE shows how the UDF feature of the GSQL query language can be used to: escalate a user’s privileges to that of the administrative user, disable authentication, exfiltrate sensitive data, and then remove the audit logs.
As of this writing, these issues affect the latest version of TigerGraph Server 3.6.0 and any other product that is derived from this code-base, for instance, the Official TigerGraph Docker image. Although unconfirmed, TigerGraph Cloud is also potentially impacted.
Mitigations
During the responsible disclosure process, TigerGraph confirmed that GSQL was behaving as expected and offered the following mitigations:
- enable authentication for GSQL and the REST endpoints; and
- change the default password of the tigergraph admin user.
These mitigations are not sufficient to protect from attack.
Recommendations
The TigerGraph architecture allows arbitrary C++ code execution. Accordingly, this vulnerability will remain inside TigerGraph products until the fundamental architecture is changed.
Our recommendations for using TigerGraph in the meantime are to:
- Avoid using UDFs. Even unused ones pose a security risk.
- If UDFs must be used, sanitize all inputs going between GSQL and a UDF. We acknowledge that this is difficult, as it would either have to be done as a UDF or written using GSQL, not C++.
- Limit TigerGraph’s access to networks that contain sensitive data. As a TigerGraph cluster is able to run arbitrary code, it is wise to ensure that network traffic from and to it is restricted.
Related news
An issue was discovered in Tigergraph Enterprise 3.7.0. The TigerGraph platform installs a full development toolchain within every TigerGraph deployment. An attacker is able to compile new executables on each Tigergraph system and modify system and Tigergraph binaries.
An issue was discovered in Tigergraph Enterprise 3.7.0. There is unsecured write access to SSH authorized keys file. Any code running as the tigergraph user is able to add their SSH public key into the authorised keys file. This allows an attacker to obtain password-less SSH key access by using their own SSH key.
An issue was discovered in Tigergraph Enterprise 3.7.0. The TigerGraph platform allows users to define new User Defined Functions (UDFs) from C/C++ code. To support this functionality TigerGraph allows users to upload custom C/C++ code which is then compiled and installed into the platform. An attacker who has filesystem access on a remote TigerGraph system can alter the behavior of the database against the will of the database administrator; thus effectively bypassing the built in RBAC controls.
An issue was discovered in TigerGraph Enterprise Free Edition 3.x. It creates an authentication token for internal systems use. This token can be read from the configuration file. Using this token on the REST API provides an attacker with anonymous admin-level privileges on all REST API endpoints.
An issue was discovered in TigerGraph Enterprise Free Edition 3.x. Data loading jobs in gsql_server, created by any user with designer permissions, can read sensitive data from arbitrary locations.