Summary
Mimir exposes an Admin Dashboard listing some status information but also listing some operations that are labeled to be "Dangerous". The operation "Trigger ingester shutdown" is vulnerable to CSRF. By tricking a Mimir user with access to this dashboard into visiting a maliciously crafted page by the attacker, the attacker can trigger execution of this operation.
Details
To "Play with Grafana Mimir" I found the following page: https://grafana.com/tutorials/play-with-grafana-mimir/
I've used this to launch an instance of Grafana + Mimir and found that it includes a "Grafana Mimir Admin" dashboard. On this dashboard I found a section including operations that are listed to be "Dangerous" which implies that you wouldn't want these to be used by anyone who isn't authorized to do so. However upon using the "Trigger ingester shutdown" I noticed this operation is triggered by a simple GET request without any CSRF protection. So if an attacker would want to abuse this, they would simply have to trick a Mimir user into visiting a specially crafted page that will redirect them to this GET endpoint. This will cause the dangerous operation to be triggered, without the user consciously choosing to do so.
PoC
- Launch a Grafana Mimir setup as described with these steps: https://grafana.com/tutorials/play-with-grafana-mimir/
- Trick a user with access to this dashboard into visiting https://0-a.nl/grafdown.html
This page hosts the following POC:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="refresh" content="0; url=http://localhost:9009/ingester/shutdown">
<title></title>
</head>
<body>
</body>
</html>
Result
The ingestor shutdown will be triggered. To verify this you can check the status of the ingester-service on this page http://localhost:9009/services which should now be "Terminated".
Impact
A Mimir user (someone with access to the Dashboard / instance) will unknowingly trigger a ingestor shutdown. This operations is listed as "Dangerous" and as such you wouldn't want this to be triggered without consciously choosing to do so.
Mitigation
- Do not use GET requests for state changes as they can easily be triggered by a redirect (for example) making any Cookie protections obsolete.
- Apply some sort of Anti CSRF protection like CSRF-tokens
- You could also pick a HTTP method that isn't vulnerable to CSRF, like PUT or PATCH.
Note from Grafana Labs
This is considered an accepted risk.
renniepak Reporter
Summary
Mimir exposes an Admin Dashboard listing some status information but also listing some operations that are labeled to be "Dangerous". The operation "Trigger ingester shutdown" is vulnerable to CSRF. By tricking a Mimir user with access to this dashboard into visiting a maliciously crafted page by the attacker, the attacker can trigger execution of this operation.
Details
To "Play with Grafana Mimir" I found the following page: https://grafana.com/tutorials/play-with-grafana-mimir/
I've used this to launch an instance of Grafana + Mimir and found that it includes a "Grafana Mimir Admin" dashboard. On this dashboard I found a section including operations that are listed to be "Dangerous" which implies that you wouldn't want these to be used by anyone who isn't authorized to do so. However upon using the "Trigger ingester shutdown" I noticed this operation is triggered by a simple GET request without any CSRF protection. So if an attacker would want to abuse this, they would simply have to trick a Mimir user into visiting a specially crafted page that will redirect them to this GET endpoint. This will cause the dangerous operation to be triggered, without the user consciously choosing to do so.
PoC
This page hosts the following POC:
Result
The ingestor shutdown will be triggered. To verify this you can check the status of the
ingester-serviceon this page http://localhost:9009/services which should now be "Terminated".Impact
A Mimir user (someone with access to the Dashboard / instance) will unknowingly trigger a ingestor shutdown. This operations is listed as "Dangerous" and as such you wouldn't want this to be triggered without consciously choosing to do so.
Mitigation
Note from Grafana Labs
This is considered an accepted risk.