grafana-cve-2021-43798 Scenario

« grafana-cve-2021-43798 »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:grafanaspoofable:0MITRE:T1190MITRE:T1595confidence:3

Grafana - Arbitrary File Read (CVE-2021-43798)

Installation

cscli scenarios install crowdsecurity/grafana-cve-2021-43798

Description

Detect exploitation of CVE-2021-43798

YAML Configuration

1type: trigger
2format: 2.0
3name: crowdsecurity/grafana-cve-2021-43798
4description: "Grafana - Arbitrary File Read (CVE-2021-43798)"
5filter: |
6  evt.Meta.log_type in ["http_access-log", "http_error-log"] and 
7    (Upper(evt.Meta.http_path) matches '/PUBLIC/PLUGINS/[^/]+/../[./]+/'
8    or
9    Upper(evt.Meta.http_path) matches '/PUBLIC/PLUGINS/[^/]+/%2E%2E/[%2E/]+/')
10groupby: "evt.Meta.source_ip"
11blackhole: 2m
12labels:
13  service: grafana
14  confidence: 3
15  spoofable: 0
16  classification:
17    - attack.T1190
18    - attack.T1595
19    - cve.CVE-2021-43798
20  behavior: "http:exploit"
21  label: "Grafana - LFI"
22  remediation: true
23

Hub configuration

« grafana-cve-2021-43798 »v0.3 by crowdsecurityAttack scenarioremediation:trueservice:grafanaCVE-2021-43798spoofable:0MITRE:T1190MITRE:T1595confidence:3

« grafana-cve-2021-43798 »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:grafanaspoofable:0MITRE:T1190MITRE:T1595confidence:3