fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Grafana Fixes Zero-day Vulnerability After Exploits Spread over Twitter

Grafana Fixes Zero-day Vulnerability After Exploits Spread over Twitter

Open-source analytics and interactive visualization solution Grafana received an emergency update today to fix a high-severity, zero-day vulnerability that enabled remote access to local files.

Details about the issue started to become public earlier this week, before Grafana Labs rolled out updates for affected versions 8.0.0-beta1 through 8.3.0.

Plugin URL path

Earlier today, Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7 were released to fix a path traversal vulnerability that could allow an attacker to navigate outside the Grafana folder and remotely access restricted locations on the server, such as /etc/passwd/.

Also Read: Invasion Of Privacy Elements And Its Legal Laws To Comply

Grafana Labs published a blog post today explaining that problem was with the URL for installed plug-ins, which was vulnerable to path traversal attacks.

Since all Grafana installations have a set of plugins installed by default, the vulnerable URL path was present on every instance of the application.

Grafana Labs received a report about the vulnerability at the end of last week, on December 3, and came up with a fix on the same day.

The developer planned a private customer release for today and a public one for December 14.

PoC spreads over Twitter and GitHub

A second report came in yesterday, though, indicating that information about the issue started to spread, the confirmation coming when news about the bug appeared in the public space.

source: Corben Leo

It didn’t take long for technical details along with proof-of-concepts (PoC) to exploit the bug to become available on Twitter and GitHub.

Also Read: EU GDPR Articles: Key For Business Security And Success

CVE-2021-43798 exploitation
source Martin Hsu

Since the privately reported bug had become a leaked zero-day, Grafana Labs was forced to publish the fix:

  • 2021-12-06: Second report about the vulnerability received
  • 2021-12-07: We received information that the vulnerability has been leaked to the public, turning it into a 0day
  • 2021-12-07: Decision made to release as quickly as feasible
  • 2021-12-07: Private release with reduced 2-hour grace period, not the usual 1-week timeframe
  • 2021-12-07: Public release

Now tracked as CVE-2021-43798, the flaw received a 7.5 severity score and is still exploitable on on-premise servers that have not been updated.

Grafana Cloud instances have not been impacted, the developer said today.

According to public reports, there are thousands of Grafana servers exposed on the public internet. If updating a vulnerable instance is not possible in a timely manner, it is recommended to make the server inaccessible from the public web.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us