CVE-2021-41192
published 2021-11-24CVE-2021-41192: Redash is a package for data visualization and sharing. If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the…
PriorityP350medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EXPLOIT
EPSS
8.02%
94.0th percentile
Redash is a package for data visualization and sharing. If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. This issue only affects installations where the `REDASH_COOKIE_SECRET or REDASH_SECRET_KEY` environment variables have not been explicitly set. This issue does not affect users of the official Redash cloud images, Redash's Digital Ocean marketplace droplets, or the scripts in the `getredash/setup` repository. These instances automatically generate unique secret keys during installation. One can verify whether one's instance is affected by checking the value of the `REDASH_COOKIE_SECRET` environment variable. If it is `c292a0a3aa32397cdb050e233733900f`, should follow the steps to secure the instance, outlined in the GitHub Security Advisory.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getredash | redash | <= 10.0.0 | — |
| redash | redash | <= 10.0.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/reset/IjEi.YhAmmQ.cdQp7CnnVq02aQ05y8tSBddl-qs
url/redash/reset/IjEi.YhAmmQ.cdQp7CnnVq02aQ05y8tSBddl-qs
othershodan:http.favicon.hash:698624197
otherfofa:icon_hash=698624197
- →Probe for vulnerable Redash instances by requesting the known default-secret-forged password-reset token path and checking the response body for 'Enter your new password:' and 'redash' with HTTP 200 status.
- →Match response body containing both 'Enter your new password:' and 'redash' with HTTP 200 to confirm exploitation of the default cookie secret.
- →Identify exposed Redash instances via Shodan favicon hash 698624197 or FOFA icon_hash=698624197 for targeting.
- →Check the REDASH_COOKIE_SECRET environment variable on any Redash installation; if it equals 'c292a0a3aa32397cdb050e233733900f', the instance is vulnerable to session forgery.
- ·The vulnerability only affects Redash installations where REDASH_COOKIE_SECRET or REDASH_SECRET_KEY were never explicitly set; official cloud images, Digital Ocean marketplace droplets, and getredash/setup scripts auto-generate unique keys and are NOT affected. ↗
- ·The default secret value 'c292a0a3aa32397cdb050e233733900f' is shared across ALL vulnerable installations, enabling an attacker to forge valid session cookies for any unpatched instance. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
Redash Setup Configuration - Default Secrets Disclosure
nuclei·CVSS 6.5
CVE-2021-41192 [MEDIUM] Redash Setup Configuration - Default Secrets Disclosure
Redash Setup Configuration - Default Secrets Disclosure
Redash Setup Configuration is vulnerable to default secrets disclosure (Insecure Default Initialization of Resource). If an admin sets up Redash versions <=10.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value.
Template:
id: CVE-2021-41192
info:
name: Redash Setup Configuration - Default Secrets Disclosure
author: bananabr
severity: medium
description: Redash Setup Configuration is vulnerable to default secrets disclosure (Insecure Default Initialization of Resource). If an admin s
No writeups or analysis indexed.
CWE
Use of Default Credentials
mitre_cwe·CVSS 8.1
[HIGH] CWE-1392 Use of Default Credentials
CWE-1392: Use of Default Credentials
The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.
It is common practice for products to be designed to use
default keys, passwords, or other mechanisms for
authentication. The rationale is to simplify the
manufacturing process or the system administrator's task of
installation and deployment into an enterprise. However, if
admins do not change the defaults, it is easier for attackers
to bypass authentication quickly across multiple
organizations.
Modes of Introduction:
Phase: Architecture and Design
Common Consequences:
Scope: Authentication. Impact: Gain Privileges or Assume Identity.
Potential Mitigations:
[Requirements] Prohibit use of default, hard-coded, or other values that
CWE
Use of Weak Credentials
mitre_cwe
CWE-1391 Use of Weak Credentials
CWE-1391: Use of Weak Credentials
The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.
By design, authentication protocols try to ensure that attackers must perform brute force attacks if they do not know the credentials such as a key or password. However, when these credentials are easily predictable or even fixed (as with default or hard-coded passwords and keys), then the attacker can defeat the mechanism without relying on brute force. Credentials may be weak for different reasons, such as: Hard-coded (i.e., static and unchangeable by the administrator) Default (i.e., the same static value across different deployments/installations, but able to be changed by the administrator) Predictable
https://github.com/getredash/redash/commit/ce60d20c4e3d1537581f2f70f1308fe77ab6a214https://github.com/getredash/redash/security/advisories/GHSA-g8xr-f424-h2rvhttps://ian.sh/redashhttps://github.com/getredash/redash/commit/ce60d20c4e3d1537581f2f70f1308fe77ab6a214https://github.com/getredash/redash/security/advisories/GHSA-g8xr-f424-h2rvhttps://ian.sh/redash
2021-11-24
Published