Hi Team,
I’ve discovered a high-severity vulnerability in Graylog Community Edition v6.0.0 related to exposed configuration information, specifically an issue with the telemetry configuration. This falls under OWASP A5 2021 - Security Misconfiguration and CWE-1349 (Configuration).
During investigation, I found that the /config.js resource, which is accessible to all users, returns several configuration parameters, including a telemetry API key. This key is then used by PostHog, where telemetry data is being sent. Critically, this PostHog API key is hardcoded in the Graylog repository (see: graylog2-server/graylog2-server/src/main/java/org/graylog2/configuration/TelemetryConfiguration.java at master · Graylog2/graylog2-server · GitHub line 34).
This exposure of the PostHog API key presents a significant security risk. Here’s a breakdown of the potential risks and how an attacker could exploit this vulnerability:
- Data Manipulation/Injection: An attacker with the PostHog API key could potentially inject or manipulate telemetry data being sent to PostHog. This could lead to:
- False Positives/Negatives: Manipulating data to trigger false alerts or suppress real ones, disrupting monitoring and incident response.
- Data Poisoning: Injecting malicious data to skew metrics and analytics, leading to incorrect conclusions about system performance and security.
- Data Exfiltration: Depending on the PostHog configuration and the data being collected, the attacker might be able to access and exfiltrate existing telemetry data. This could reveal sensitive information about Graylog usage, system configurations, and potentially even user activity.
- Account Takeover (Potential): If the PostHog account associated with the exposed key has any administrative privileges or access to other systems, an attacker could potentially leverage this access for further compromise.
- Denial of Service (DoS): An attacker could flood PostHog with bogus data, potentially disrupting the telemetry service and impacting Graylog’s ability to monitor system health.
Given the potential impact, including data manipulation, exfiltration, and potential further compromise, this vulnerability is classified as high and requires immediate attention. I urge the Graylog team to address and patch this issue as soon as possible. Please let me know if any further information is needed from my end.
Thanks