Two Vulns, a Five-Year compromise, and the Twitch Data Breach

Grafana Authentication Bypass Vulnerability

Grafana is an open-source, multi-platform analytics platform that lets you create graphs, charts, and alerts on whatever data you give it access to. Earlier this week, Grafana released two new versions, 7.5.11 and 8.1.6, which address a critical vulnerability recently discovered in Grafana’s snapshot feature. A dashboard snapshot is a feature in Grafana that was designed to let you share an interactive dashboard publicly. When a user creates a snapshot, sensitive data is stripped leaving only the visible metric data and series name embedded in your dashboard. Essentially, the snapshot no longer depends on the original data, but provides a point-in-time view of a specific dashboard. These dashboard snapshots can be shared with a unique URL based on a unique key created when you take the snapshot.

The vulnerability, CVE-2021-39226 (https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9), is described as an authentication bypass vulnerability as it will allow an unauthenticated user to always access the lowest database key using one of the following paths:

  • /dashboard/snapshot/:key
  • /api/snapshots/:key

Additionally, if the “public_mode” configuration option is set, an unauthenticated user can delete the snapshot with the lowest database key. If “public_mode” is not set, then any authenticated user can still delete the snapshot with the lowest database key. By viewing and then deleting the snapshot with the lowest database key, a malicious user could iterate through all stored snapshot on any Grafana system, stealing the data and then deleting it. The result could be leaking private data and possible data loss. This vulnerability has been patched, so if you are currently running a vulnerable version, we recommend upgrading as soon as possible.

Meanwhile, the CRU has developed a few IDS signatures to help detect when someone is misusing this vulnerability. If you are a Perch IDS customer, these signatures have already been applied to your sensor.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Grafana GET Snapshot - Authentication Bypass (CVE-2021-39226) M1"; flow:established, to_server; http.method; content:"GET"; http.uri; content:"/dashboard/snapshot/"; pcre:"/[0-9]+/R"; tag:session,5,packets; reference:url, github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9; classtype:web-application-activity; sid:900445; rev:1; metadata: created_at 2021-10-05, updated_at 2021-10-05, cve CVE_2021_39226, mitre_tactic_id TA0000, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Grafana GET Snapshot - Authentication Bypass (CVE-2021-39226) M2"; flow:established, to_server; http.method; content:"GET"; http.uri; content:"/api/snapshots/"; pcre:"/[0-9]+/R"; tag:session,5,packets; reference:url, github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9; classtype:web-application-activity; sid:900446; rev:1; metadata: created_at 2021-10-05, updated_at 2021-10-05, cve CVE_2021_39226, mitre_tactic_id TA0000, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Grafana Delete Snapshot Authentication Bypass (CVE-2021-39226) M1"; flow:established, to_server; http.method; content:"DELETE"; http.uri; content:"/api/snapshots/"; pcre:"/[0-9]+/R"; tag:session,5,packets; reference:url, github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9; classtype:web-application-activity; sid:900447; rev:1; metadata: created_at 2021-10-05, updated_at 2021-10-05, cve CVE_2021_39226, mitre_tactic_id TA0000, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Grafana Delete Snapshot Authentication Bypass (CVE-2021-39226) M2"; flow:established, to_server; http.method; content:"GET"; http.uri; content:"/api/snapshots-delete/"; pcre:"/[0-9]+/R"; tag:session,5,packets; reference:url, github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9; classtype:web-application-activity; sid:900448; rev:1; metadata: created_at 2021-10-05, updated_at 2021-10-05, cve CVE_2021_39226, mitre_tactic_id TA0000, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

Apache Directory Traversal Vulnerability

A directory traversal vulnerability was recently discovered in use in-the-wild in newer versions of the Apache web server. Apache web server is the most used web server on the internet, with about 38% of all websites being hosted on Apache, a bit over 20 million Apache web servers around the world according to Shodan. CVE-2021-41773 was introduced on September 5 of this year, with a change made to path normalization in Apache 2.4.49. The vulnerability only applies to Apache 2.4.49 and then only if the “require all denied” access control configuration is disabled. When exploited, an attacker could gain access to arbitrary files on the server, some of which may contain information such as database passwords or other sensitive information. There even is some evidence that, depending on your Apache configuration, this vulnerability could also be used for remote code execution (https://twitter.com/hackerfantastic/status/1445531829985968137).  According to a Shodan search performed today, there are about 108,000 Apache web servers across the world currently running the vulnerable version of Apache.

If you are using the Apache web server version provided by a major Linux distribution, you probably have nothing to worry about. This bug was only introduced into the Apache code about a month ago, which is too new to be included in Debian, Ubuntu, CentOS, etc. However, if you are running Arch, or compile your own Apache server, you may be running the vulnerable version.

Emerging Threats has already released signatures that will detect someone attempting to exploit this vulnerability in their ET EXPLOIT collection, and those signatures have been applied to Perch IDS customer who are subscribed to the Emerging Threats community.

Hackers Hide in Major SMS Provider’s Network for Five Years

Syniverse is a telecommunications company that handles SMS routing for most of the US major cellular service providers, such as AT&T, Verizon, T-Mobile, and more. Last week, in an SEC filing (https://www.sec.gov/Archives/edgar/data/1839175/000119312521284329/d234831dprem14a.htm#toc234831_9), Syniverse revealed that in May 2021, they discovered, “unauthorized access to its operational and information technology systems by an unknown individual or organization.” According to the SEC filing, they performed an in-depth investigation after the initial discover, involving law enforcement, and discovered that the initial breach occurred in May 2016. Syniverse has not yet released many details regarding the hack or what was accessed, but we do know the attackers had access for five years. According to the SEC filing:

The results of the investigation revealed that the unauthorized access began in May 2016. Syniverse’s investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (“EDT”) environment was compromised for approximately 235 of its customers. All EDT customers have been notified and have had their credentials reset or inactivated, even if their credentials were not impacted by the incident. All customers whose credentials were impacted have been notified of that circumstance.

T-Mobile did release a statement saying that there was no indication any phone calls or text messages of their customers were impacted. Beyond that, we still have little information about who the attackers were or what information they accessed.

Twitch Data Breach

On Wednesday of this week, an anonymous user on 4chan published 135GB of data stolen from Amazon’s streaming platform, Twitch. The leaked data includes:

  • The entirety of Twitch’s source code with commit history “going back to its early beginnings”
  • Creator payout reports from 2019
  • Mobile, desktop and console Twitch clients
  • Proprietary SDKs and internal AWS services used by Twitch
  • “Every other property that Twitch owns” including IGDB and CurseForge
  • An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
  • Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)

This morning, Amazon attributed the data breach to “an error” in a server’s configuration.

Yesterday, we saw several websites pop-up, publishing Twitch earnings for the top streamers on Twitch, though it looks like many of these sites have already been shut down as of today.

There have been rumors that the data includes encrypted password; however, Twitch claims this is not the case. According to a statement released by Twitch (https://www.videogameschronicle.com/news/twitch-says-theres-no-indication-that-login-details-were-exposed-in-data-leak/), there is no indication passwords or credit card information were stolen.

Twitch says they have already reset the streamer keys for all users on their platform. We also recommend all Twitch users reset their password, and as always, enable MFA.

References

https://digitalintheround.com/what-is-the-most-popular-web-server/

https://nvd.nist.gov/vuln/detail/CVE-2021-41773

https://www.tenable.com/cve/CVE-2021-41773

https://www.theverge.com/2021/10/6/22713543/syniverse-hack-five-years-text-messages

https://www.engadget.com/syniverse-sms-routing-company-hacked-131314113.html

https://www.sec.gov/Archives/edgar/data/1839175/000119312521284329/d234831dprem14a.htm#toc234831_9

https://www.theverge.com/2021/10/6/22713543/syniverse-hack-five-years-text-messages

https://arstechnica.com/information-technology/2021/10/company-that-routes-sms-for-all-major-us-carriers-was-hacked-for-five-years/

https://www.wepc.com/news/twitch-security-breach-red-team/

https://www.reuters.com/technology/amazons-twitch-hit-by-data-breach-2021-10-06/

https://www.videogameschronicle.com/news/twitch-says-theres-no-indication-that-login-details-were-exposed-in-data-leak/