{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/database-exfiltration/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Dgraph"],"_cs_severities":["critical"],"_cs_tags":["dgraph","dql-injection","injection","database-exfiltration"],"_cs_type":"advisory","_cs_vendors":["Dgraph"],"content_html":"\u003cp\u003eA critical vulnerability exists in Dgraph, a graph database, allowing unauthenticated attackers to perform full database exfiltration. This flaw resides within the \u003ccode\u003e/mutate\u003c/code\u003e endpoint, specifically when Access Control Lists (ACL) are disabled, which is the default configuration. By injecting malicious DQL queries via a crafted \u003ccode\u003econd\u003c/code\u003e field in an upsert mutation, attackers can bypass authorization checks and extract sensitive data, including user credentials and secrets. The vulnerability stems from the lack of proper sanitization of the \u003ccode\u003econd\u003c/code\u003e field, leading to direct concatenation into the DQL query string. This vulnerability was found in v25.3.0, but may exist in other versions as well.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to the \u003ccode\u003e/mutate?commitNow=true\u003c/code\u003e endpoint without any authentication headers (e.g., \u003ccode\u003eX-Dgraph-AccessToken\u003c/code\u003e, \u003ccode\u003eX-Dgraph-AuthToken\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emutationHandler\u003c/code\u003e in \u003ccode\u003ehttp.go\u003c/code\u003e extracts the request body and processes the \u003ccode\u003emutations\u003c/code\u003e array, including the \u003ccode\u003econd\u003c/code\u003e field, using \u003ccode\u003estrconv.Unquote\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request proceeds to \u003ccode\u003eedgraph.Server.QueryNoGrpc\u003c/code\u003e, where the \u003ccode\u003eCond\u003c/code\u003e value is copied verbatim to \u003ccode\u003edql.Mutation.Cond\u003c/code\u003e in \u003ccode\u003eserver.go\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ebuildUpsertQuery\u003c/code\u003e function in \u003ccode\u003eserver.go\u003c/code\u003e performs a simple string replacement (\u003ccode\u003e@if\u003c/code\u003e to \u003ccode\u003e@filter\u003c/code\u003e) but otherwise concatenates the unsanitized \u003ccode\u003eCond\u003c/code\u003e value into the DQL query.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edql.ParseWithNeedVars\u003c/code\u003e parser processes the constructed DQL string, accepting the injected query blocks as valid DQL.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eauthorizeQuery\u003c/code\u003e function in \u003ccode\u003eaccess.go\u003c/code\u003e returns \u003ccode\u003enil\u003c/code\u003e immediately because ACL is disabled (\u003ccode\u003eAclSecretKey == nil\u003c/code\u003e), bypassing authorization checks.\u003c/li\u003e\n\u003cli\u003eThe injected query block executes, traversing and extracting data from the database.\u003c/li\u003e\n\u003cli\u003eThe response, containing the exfiltrated data, is returned to the attacker via \u003ccode\u003ehttp.go\u003c/code\u003e, effectively granting unauthorized access to sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in complete database exfiltration. Attackers can retrieve all nodes, predicates, and values within the Dgraph database, including sensitive data such as user credentials, API keys, and Personally Identifiable Information (PII). Given the default configuration of Dgraph lacking ACL enabled, this poses a significant risk to organizations relying on Dgraph for data storage. The injection can also manipulate upsert conditions, bypassing uniqueness constraints and conditional mutation logic.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable ACL on all Dgraph instances and configure appropriate access controls to mitigate unauthorized data access.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Dgraph DQL Injection in Mutation Endpoint\u003c/code\u003e to identify potentially malicious requests to the \u003ccode\u003e/mutate\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eSanitize and validate user-supplied input, especially the \u003ccode\u003econd\u003c/code\u003e field in mutation requests, to prevent DQL injection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic to detect suspicious POST requests to the \u003ccode\u003e/mutate\u003c/code\u003e endpoint with unusual or unexpected \u003ccode\u003econd\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eReview and restrict network access to the Dgraph instance, limiting access only to authorized clients and networks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T12:00:00Z","date_published":"2024-10-26T12:00:00Z","id":"/briefs/2024-10-dgraph-dql-injection/","summary":"A pre-authentication DQL injection vulnerability in Dgraph's `/mutate` endpoint, when ACL is disabled, allows attackers to exfiltrate the entire database by crafting a malicious `cond` field in an upsert mutation.","title":"Dgraph Pre-Auth DQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-10-dgraph-dql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Database-Exfiltration","version":"https://jsonfeed.org/version/1.1"}