{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/admin-token-disclosure/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Dgraph"],"_cs_severities":["critical"],"_cs_tags":["dgraph","authentication-bypass","admin-token-disclosure"],"_cs_type":"advisory","_cs_vendors":["Dgraph"],"content_html":"\u003cp\u003eDgraph, a graph database, exposes sensitive information through an unauthenticated endpoint, \u003ccode\u003e/debug/vars\u003c/code\u003e, in versions prior to 25.3.3. The vulnerability arises because the admin token is often passed as a command-line argument using the \u003ccode\u003e--security \u0026quot;token=...\u0026quot;\u003c/code\u003e flag. This argument is exposed through the \u003ccode\u003e/debug/vars\u003c/code\u003e endpoint, which is enabled by default via Go\u0026rsquo;s \u003ccode\u003eexpvar\u003c/code\u003e package. An attacker can retrieve this token without authentication and then use it to gain administrative privileges by including it in the \u003ccode\u003eX-Dgraph-AuthToken\u003c/code\u003e header of subsequent requests. This is a bypass of previous attempts to mitigate similar issues via \u003ccode\u003e/debug/pprof/cmdline\u003c/code\u003e, which were addressed incompletely. This issue impacts deployments where the Alpha HTTP port is reachable by untrusted parties, allowing for a full authentication bypass.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends an unauthenticated GET request to the \u003ccode\u003e/debug/vars\u003c/code\u003e endpoint on the Dgraph Alpha server (e.g., \u003ccode\u003eGET /debug/vars HTTP/1.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server responds with a JSON payload containing the \u003ccode\u003ecmdline\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON response and extracts the value of the \u003ccode\u003ecmdline\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker searches the \u003ccode\u003ecmdline\u003c/code\u003e output for the \u003ccode\u003e--security token=...\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the admin token from the \u003ccode\u003e--security\u003c/code\u003e argument string.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to an admin-only endpoint (e.g., \u003ccode\u003eGET /admin/config/cache_mb HTTP/1.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker includes the extracted admin token in the \u003ccode\u003eX-Dgraph-AuthToken\u003c/code\u003e header of the request.\u003c/li\u003e\n\u003cli\u003eThe Dgraph Alpha server validates the token, granting the attacker administrative access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to gain complete administrative control over the Dgraph database. This includes the ability to read and modify admin configurations, and perform operational control actions. In deployments where the Alpha HTTP port is publicly accessible, this vulnerability poses a significant risk, leading to potential data breaches, service disruption, and unauthorized manipulation of the database. While the number of affected deployments is not explicitly stated, any Dgraph instance running a vulnerable version with an exposed Alpha HTTP port is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Dgraph to version 25.3.3 or later to address the vulnerability.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, restrict access to the Alpha HTTP port to trusted networks only.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect unauthorized access attempts to the \u003ccode\u003e/admin/config/cache_mb\u003c/code\u003e endpoint using the \u003ccode\u003eX-Dgraph-AuthToken\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect access to \u003ccode\u003e/debug/vars\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T12:00:00Z","date_published":"2024-05-02T12:00:00Z","id":"/briefs/2024-05-dgraph-auth-bypass/","summary":"Dgraph versions prior to 25.3.3 expose the admin token via the `/debug/vars` endpoint, allowing unauthenticated attackers to bypass authentication and gain administrative access.","title":"Dgraph Unauthenticated Admin Token Disclosure via /debug/vars","url":"https://feed.craftedsignal.io/briefs/2024-05-dgraph-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Admin-Token-Disclosure","version":"https://jsonfeed.org/version/1.1"}