Today we are releasing version 0.12.0 of the Synthetic Monitoring Agent which contains a fix for CVE-2022-46156. This vulnerability was first patched in version 0.11.2, with further patches now available in version 0.12.0.
Network exposure of API token (CVE-2022-46156)
On Nov. 23, a Grafana community member reported a vulnerability regarding the exposure of the API token through a debug endpoint that was enabled by default for profiling purposes.
We proceeded to disable the debug endpoint in release v0.11.2. But further improvements have been implemented in the v0.12.0 release, specifically allowing the use of the environment (instead of the command line) to pass the API token as well as defaulting to listening on localhost instead of all interfaces for the HTTP server (which serves operational metrics as well as the debug endpoints). This vulnerability has a CVSS score of 7.2 High.
Users running the Synthetic Monitoring Agent in their local network are impacted. (Agents operated by Grafana Labs are not impacted as we take additional measures to ensure that the HTTP endpoint is not accessible outside our environment.) The authentication token used to communicate with the Synthetic Monitoring API is exposed through a debugging endpoint. This token can be used to retrieve the Synthetic Monitoring checks created by the user and assigned to the agent identified with that token. The Synthetic Monitoring API will reject connections from already connected agents, so access to the token does not guarantee access to the checks.
The following changes have been made to address this issue:
- Disable debug endpoint by default
- Allow retrieving the token from the environment
- Default to listening on localhost
Solutions and mitigations
Users are advised to upgrade to version 0.12.0 as soon as possible and to rotate the agent tokens.
After upgrading to version v0.12.0 or later, it’s recommended that users of distribution packages (e.g., Debian or RedHat and their derivatives) review the configuration stored in
/etc/synthetic-monitoring/synthetic-monitoring-agent.conf, specifically the API_TOKEN variable which has been renamed to SM_AGENT_API_TOKEN.
As a workaround, for all previous versions of the Synthetic Monitoring Agent, it’s recommended that users review the agent settings and set the HTTP listening address in a manner that limits the exposure. For example, use localhost or a non-routed network by passing the command line parameter
-listen-address (e.g., -listen-address localhost:4050.)
For more information
If you have any questions or comments about this advisory:
- You can use the Synthetic Monitoring Agent discussions.
- Issues should be reported in the Synthetic Monitoring Agent issues
- Email us at email@example.com.
Reporting security issues
If you think you have found a security vulnerability, please send a report to firstname.lastname@example.org. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed