Keypoints
- Unit 42 identified a BOLA vulnerability (CVE-2024-1313) affecting Grafana versions before several patched releases.
- The DELETE /api/snapshots/{key} endpoint can be used by unaffiliated or low-privileged users to delete snapshots if they possess the snapshot key.
- Snapshot keys and deleteKeys appear in URLs and some endpoints, making them discoverable; API allows user-supplied keys without enforcing complexity.
- POST /api/snapshots lets any Grafana user create snapshots and supply weak keys, enabling brute-force of keys or resource exhaustion attacks.
- Exploitation can cause data integrity loss (deleted snapshots) or availability issues (DoS via large or frequent snapshots).
- Grafana released fixes (e.g., 10.4.x, 10.3.5, 10.2.6, 10.1.9, 9.5.18); Prisma Cloud WAAS rule and firewall protections can help detect/mitigate weak-key snapshot activity.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to exploit Grafana’s snapshot API endpoints to perform unauthorized actions: ‘CVE-2024-1313 allows any Grafana user to delete a snapshot with the snapshot’s key through an HTTP/s request for DELETE /api/snapshots/{key}’
- [T1110] Brute Force – Attackers can brute-force weak or self-assigned keys because the API lacks complexity checks: ‘it does not enforce any complexity requirements… vulnerable to brute-force attacks.’
- [T1485] Data Destruction – Deleting snapshots across organizations impacts data integrity: ‘delete any dashboard snapshot across every organization in Grafana.’
- [T1499] Endpoint Denial of Service – Creating many large snapshots can be used to incapacitate a Grafana system: ‘incapacitate a Grafana system by continuously generating large snapshots filled with random data.’
- [T1552.006] Credentials in URL – Sensitive snapshot keys are exposed in URL path parameters, enabling discovery: ‘the key is displayed in plain text as part of the URL’s path parameters.’
Indicators of Compromise
- [CVE] vulnerability identifier – CVE-2024-1313
- [API endpoints] snapshot API usage – POST /api/snapshots, DELETE /api/snapshots/{key}, GET /api/snapshots/{key}, GET /api/snapshots-delete/{deleteKey}
- [Snapshot key example] sample key shown in article – l1cWRaD0kJERIYF9eyz3RVhafNWEKPbz
- [Vulnerable versions] affected Grafana releases – 9.5.0 before 9.5.18; 10.0.0 before 10.0.13; 10.1.0 before 10.1.9; 10.2.0 before 10.2.6; 10.3.0 before 10.3.5
- [Patched versions] fixed releases to upgrade to – 10.4.x, 10.3.5, 10.2.6, 10.1.9, 9.5.18
Technical procedure overview: An attacker needs the snapshot Key or deleteKey to interact with Grafana snapshot endpoints. Keys can be discovered because they appear in URL path parameters when snapshots are viewed or shared, or they can be brute-forced if created with low complexity via POST /api/snapshots (the API permits user-supplied keys without enforcing complexity). Once a key is known or guessed, the attacker performs an HTTP DELETE to /api/snapshots/{key} to remove the snapshot; GET /api/snapshots/{key} and GET /api/snapshots-delete/{deleteKey} similarly allow viewing or delete operations based solely on possession of the key.
Attack scenarios and preconditions: A successful exploit requires either observation of the key (e.g., visible in a browser URL during a presentation or in shared documents) or successful brute-force of weak keys. If public_mode is enabled, unauthenticated users can create snapshots and thus increase the attack surface. An attacker can also abuse POST /api/snapshots to generate many large snapshots with arbitrary telemetry payloads to exhaust storage or processing resources, causing denial-of-service.
Mitigations and detection: Upgrade Grafana to the patched releases (10.4.x, 10.3.5, 10.2.6, 10.1.9, 9.5.18). Disable or restrict public_mode and restrict who can create snapshots. Enforce strong key complexity server-side and avoid relying on key secrecy in URLs. Monitor and block abnormal snapshot POST, GET, and DELETE patterns (e.g., short-length keys) using WAAS or WAF rules; the article provides a Prisma WAAS detection rule that flags POST /api/snapshots bodies with key/deleteKey under 32 characters and GET/DELETE requests with short path keys. Also audit logs for repeated snapshot deletions or high-volume snapshot creation to detect brute-force or DoS activity.
Read more: https://unit42.paloaltonetworks.com/new-bola-vulnerability-grafana/