10 CVE-2021-41277

CISA Kev Catalog Path Traversal Patch Exploit
 

Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
https://nvd.nist.gov/vuln/detail/CVE-2021-41277

Categories

CWE-200 : Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Developers may insert sensitive information that they do not believe, or they might forget to remove the sensitive information after it has been processed Separate mistakes or weaknesses could inadvertently make the sensitive information available to an attacker, such as in a detailed error message that can be read by an unauthorized party This term is frequently used in vulnerability advisories to describe a consequence or technical impact, for any vulnerability that has a loss of confidentiality. Often, CWE-200 can be misused to represent the loss of confidentiality, even when the mistake - i.e., the weakness - is not directly related to the mishandling of the information itself, such as an out-of-bounds read that accesses sensitive memory contents; here, the out-of-bounds read is the primary weakness, not the disclosure of the memory. In addition, this phrase is also used frequently in policies and legal documents, but it does not refer to any disclosure of security-relevant information. This is a frequently used term, however the "leak" term has multiple uses within security. In some cases it deals with the accidental exposure of information from a different weakness, but in other cases (such as "memory leak"), this deals with improper tracking of resources, which can lead to exhaustion. As a result, CWE is actively avoiding usage of the "leak" term. Rust library leaks Oauth client details in application debug logs Digital Rights Management (DRM) capability for mobile platform leaks pointer information, simplifying ASLR bypass Enumeration of valid usernames based on inconsistent responses Account number enumeration via inconsistent responses. User enumeration via discrepancies in error messages. Telnet protocol allows servers to obtain sensitive environment information from clients. Script calls phpinfo(), revealing system configuration to web user Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs. Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned. Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method. Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness. Program reveals password in error message if attacker can trigger certain database errors. Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209). Direct request to library file in web application triggers pathname leak in error message. Malformed regexp syntax leads to information exposure in error message. Password exposed in debug information. FTP client with debug option enabled shows password to the screen. Collaboration platform does not clear team emails in a response, allowing leak of email addresses

CWE-22 : Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. "Path traversal" is preferred over "directory traversal," but both terms are attack-focused. Automated techniques can find areas where path traversal weaknesses exist. However, tuning or customization may be required to remove or de-prioritize path-traversal problems that are only exploitable by the product's administrator - or other privileged users - and thus potentially valid behavior or, at worst, a bug instead of a vulnerability. Manual white box techniques may be able to provide sufficient code coverage and reduction of false positives if all file access operations can be assessed within limited time constraints. For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. Large language model (LLM) management tool does notvalidate the format of a digest value (CWE-1287) from aprivate, untrusted model registry, enabling relativepath traversal (CWE-23), a.k.a. Probllama Chain: API for text generation using Large Language Models (LLMs) doesnot include the "\" Windows folder separator in its denylist (CWE-184)when attempting to prevent Local File Inclusion via path traversal(CWE-22), allowing deletion of arbitrary files on Windows systems. Chain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20), allowing for filesystem path traversal using "../" sequences (CWE-24) Python package manager does not correctly restrict the filename specified in a Content-Disposition header, allowing arbitrary file read using path traversal sequences such as "../" Python package constructs filenames using an unsafe os.path.join call on untrusted input, allowing absolute path traversal because os.path.join resets the pathname to an absolute path that is specified as part of the input. directory traversal in Go-based Kubernetes operator app allows accessing data from the controller's pod file system via ../ sequences in a yaml file Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV. a Kubernetes package manager written in Go allows malicious plugins to inject path traversal sequences into a plugin archive ("Zip slip") to copy a file outside the intended directory Chain: security product has improper input validation (CWE-20) leading to directory traversal (CWE-22), as exploited in the wild per CISA KEV. Go-based archive library allows extraction of files to locations outside of the target folder with "../" path traversal sequences in filenames in a zip file, aka "Zip Slip" Newsletter module allows reading arbitrary files using "../" sequences. Chain: PHP app uses extract for register_globals compatibility layer (CWE-621), enabling path traversal (CWE-22) FTP server allows deletion of arbitrary files using ".." in the DELE command. FTP server allows creation of arbitrary directories using ".." in the MKD command. FTP service for a Bluetooth device allows listing of directories, and creation or reading of files using ".." sequences. Software package maintenance program allows overwriting arbitrary files using "../" sequences. Bulletin board allows attackers to determine the existence of files using the avatar. PHP program allows arbitrary code execution using ".." in filenames that are fed to the include() function. Overwrite of files using a .. in a Torrent file. Chat program allows overwriting files using a custom smiley request. Chain: external control of values for user's desired language and theme enables path traversal. Chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal.

References


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:metabase:metabase:0.40.0:-:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:0.40.1:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:0.40.2:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:0.40.3:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:0.40.4:*:*:*:-:*:*:*
cpe:2.3:a:metabase:metabase:1.40.0:-:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:1.40.1:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:1.40.2:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:1.40.3:*:*:*:enterprise:*:*:*
cpe:2.3:a:metabase:metabase:1.40.4:*:*:*:enterprise:*:*:*


REMEDIATION


Patch

Url
https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3...
https://github.com/metabase/metabase/commit/042a36e49574c749f944e19cf80360fd3...


EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
https://github.com/Seals6/CVE-2021-41277
https://github.com/Henry4E36/Metabase-cve-2021-41277
https://github.com/kap1ush0n/CVE-2021-41277

Other Nist (github, ...)

Url
No known exploits


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
116 Excavation
Medium
13 Subverting Environment Variable Values
Very High
169 Footprinting
Very Low
22 Exploiting Trust in Client
High
224 Fingerprinting
Very Low
285 ICMP Echo Request Ping
Low
287 TCP SYN Scan
Low
290 Enumerate Mail Exchange (MX) Records
Low
291 DNS Zone Transfers
Low
292 Host Discovery
Low
293 Traceroute Route Enumeration
Low
294 ICMP Address Mask Request
Low
295 Timestamp Request
Low
296 ICMP Information Request
Low
297 TCP ACK Ping
Low
298 UDP Ping
Low
299 TCP SYN Ping
Low
300 Port Scanning
Low
301 TCP Connect Scan
Low
302 TCP FIN Scan
Low
303 TCP Xmas Scan
Low
304 TCP Null Scan
Low
305 TCP ACK Scan
Low
306 TCP Window Scan
Low
307 TCP RPC Scan
Low
308 UDP Scan
Low
309 Network Topology Mapping
Low
310 Scanning for Vulnerable Software
Low
312 Active OS Fingerprinting
Low
313 Passive OS Fingerprinting
Low
317 IP ID Sequencing Probe
Low
318 IP 'ID' Echoed Byte-Order Probe
Low
319 IP (DF) 'Don't Fragment Bit' Echoing Probe
Low
320 TCP Timestamp Probe
Low
321 TCP Sequence Number Probe
Low
322 TCP (ISN) Greatest Common Divisor Probe
Low
323 TCP (ISN) Counter Rate Probe
Low
324 TCP (ISN) Sequence Predictability Probe
Low
325 TCP Congestion Control Flag (ECN) Probe
Low
326 TCP Initial Window Size Probe
Low
327 TCP Options Probe
Low
328 TCP 'RST' Flag Checksum Probe
Low
329 ICMP Error Message Quoting Probe
Low
330 ICMP Error Message Echoing Integrity Probe
Low
472 Browser Fingerprinting
Low
497 File Discovery
Very Low
508 Shoulder Surfing
High
573 Process Footprinting
Low
574 Services Footprinting
Low
575 Account Footprinting
Low
576 Group Permission Footprinting
Low
577 Owner Footprinting
Low
59 Session Credential Falsification through Prediction
High
60 Reusing Session IDs (aka Session Replay)
High
616 Establish Rogue Location
Medium
643 Identify Shared Files/Directories on System
Medium
646 Peripheral Footprinting
Medium
651 Eavesdropping
Medium
79 Using Slashes in Alternate Encoding
High
126 Path Traversal
Very High
64 Using Slashes and URL Encoding Combined to Bypass Validation Logic
High
76 Manipulating Web Input to File System Calls
Very High
78 Using Escaped Slashes in Alternate Encoding
High


MITRE


Techniques

id description
T1007 System Service Discovery
T1016 System Network Configuration Discovery
T1018 Remote System Discovery
T1033 System Owner/User Discovery
T1036.005 Masquerading: Match Legitimate Name or Location
T1046 Network Service Scanning
T1049 System Network Connections Discovery
T1057 Process Discovery
T1069 Permission Groups Discovery
T1082 System Information Discovery
T1083 File and Directory Discovery
T1087 Account Discovery
T1111 Multi-Factor Authentication Interception
T1120 Peripheral Device Discovery
T1124 System Time Discovery
T1134.001 Access Token Manipulation:Token Impersonation/Theft
T1135 Network Share Discovery
T1217 Browser Bookmark Discovery
T1550.004 Use Alternate Authentication Material:Web Session Cookie
T1562.003 Impair Defenses:Impair Command History Logging
T1574.006 Hijack Execution Flow:Dynamic Linker Hijacking
T1574.007 Hijack Execution Flow:Path Interception by PATH Environment Variable
T1590 Gather Victim Network Information
T1592 Gather Victim Host Information
T1595 Active Scanning
T1615 Group Policy Discovery
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id description
T1036.005 Use file system access controls to protect folders such as C:WindowsSystem32.
T1046 Ensure proper network segmentation is followed to protect critical servers and devices.
T1087 Manage the creation, modification, use, and permissions associated to user accounts.
T1111 Remove smart cards when not in use.
T1134.001 An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.
T1135 Enable Windows Group Policy “Do Not Allow Anonymous Enumeration of SAM Accounts and Shares” security setting to limit users who can enumerate network shares.
T1550.004 Configure browsers or tasks to regularly delete persistent cookies.
T1562.003 Make sure that the <code>HISTCONTROL</code> environment variable is set to “ignoredups” instead of “ignoreboth” or “ignorespace”.
T1574.006 When System Integrity Protection (SIP) is enabled in macOS, the aforementioned environment variables are ignored when executing protected binaries. Third-party applications can also leverage Apple’s Hardened Runtime, ensuring these environment variables are subject to imposed restrictions. Admins can add restrictions to applications by setting the setuid and/or setgid bits, use entitlements, or have a __RESTRICT segment in the Mach-O binary.
T1574.007 Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory <code>C:</code> and system directories, such as <code>C:Windows</code>, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.
T1590 This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
T1592 This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
T1595 This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.