CVE-2023-41041 - Graylog's Multi-node Cluster User Session Issue: Exploiting and Ensuring Security

Introduction: Graylog is a popular open-source log management platform that many organizations use to collect, store, and analyze log data for monitoring their infrastructure. In this post, we will discuss a recently discovered vulnerability in Graylog (CVE-2023-41041) that affects user sessions in a multi-node cluster environment. Specifically, we will examine the details of this vulnerability, provide code snippets to demonstrate its exploitation, and share links to original references. Finally, we will discuss the solution that has been developed and the steps users should take to ensure the security of their Graylog clusters.

Exploit Details

As mentioned earlier, the vulnerability stems from the way Graylog handles user sessions in a multi-node cluster. Below is a summary of the key points related to this issue:

1. Each node in a Graylog cluster maintains its isolated version of a user session. When a user logs out, the session is removed from that node's local cache and deleted from the database. However, other nodes in the cluster continue to use their cached session data.

2. Most API requests generated through user interactions with the Graylog UI will trigger updates to the session's "last access" timestamp, causing the other nodes in the cluster to recognize the invalidated session.

3. However, if the X-Graylog-No-Session-Extension:true header is included in the API request, the updating of the session is prevented, allowing the cached session to be considered valid until it expires due to the configured session timeout setting.

Code Snippet

To exploit this vulnerability, an attacker can send an API request that includes the X-Graylog-No-Session-Extension:true header, as shown below:

import requests

url = 'http://graylog.example.com/api/some_endpoint';
headers = {
    'X-Requested-By': 'an_attacker',
    'X-Graylog-No-Session-Extension': 'true',
    'Accept': 'application/json',
    'Authorization': 'Bearer <potentially_compromised_session_id>'
}

response = requests.get(url, headers=headers)
print(response.json())

This code sends a GET request to a Graylog API endpoint while avoiding session updates, allowing the potentially compromised session to remain valid and effectively bypassing the intended logout mechanism.

Here are some authoritative sources for further details on the CVE-2023-41041 vulnerability

- CVE-2023-41041 description
- Graylog GitHub Security Advisory

Solution

Graylog has addressed this issue in versions 5..9 and 5.1.3. Users are strongly advised to upgrade their Graylog installations to these versions to eliminate the risk of unauthorized API requests from invalidated user sessions.

Conclusion

In this post, we have discussed the vulnerability (CVE-2023-41041) affecting Graylog's user session handling in multi-node cluster environments. We have explored the steps to exploit the vulnerability using a code snippet and recommended upgrading to Graylog versions 5..9 and 5.1.3 as the solution to protect against this threat. Users of Graylog should take immediate action to ensure their systems are up-to-date, thereby maintaining the security and integrity of their log management and analysis infrastructure.

Timeline

Published on: 08/30/2023 22:15:00 UTC
Last modified on: 09/05/2023 19:37:00 UTC