The TigerGraph platform provides the facility for users to remotely upload user-defined functions as C++ source code, which are then automatically compiled and installed into sensitive system components. Due to a lack of safeguards, this process can be exploited by an attacker to circumvent the majority of TigerGraph’s security mechanisms.
Background
We have discovered a critical CVE (Common Vulnerabilities and Exposures) in the TigerGraph product suite. The details have not been publicly disclosed for the last three months to allow sufficient time for TigerGraph to fix the vulnerability and reinforce their security before the details of the CVE became public.
The CVE shows there are insufficient safeguards in the GSQL query language to protect the system from malicious or just erroneous user-supplied C++ code. The CVE shows how the UDF feature of the GSQL query language can be used to: escalate a user's privileges to that of the administrative user, disable authentication, exfiltrate sensitive data, and then remove the audit logs.
As of this writing, these issues affect the latest version of TigerGraph Server 3.6.0 and any other product that is derived from this code-base, for instance, the Official TigerGraph Docker image. Although unconfirmed, TigerGraph Cloud is also potentially impacted.
Mitigations
During the responsible disclosure process, TigerGraph confirmed that GSQL was behaving as expected and offered the following mitigations:
- enable authentication for GSQL and the REST endpoints; and
- change the default password of the
tigergraphadmin user.
These mitigations are not sufficient to protect from attack.
Recommendations
The TigerGraph architecture allows arbitrary C++ code execution. Accordingly, this vulnerability will remain inside TigerGraph products until the fundamental architecture is changed.
Our recommendations for using TigerGraph in the meantime are to:
- Avoid using UDFs. Even unused ones pose a security risk.
- If UDFs must be used, sanitize all inputs going between GSQL and a UDF. We acknowledge that this is difficult, as it would either have to be done as a UDF or written using GSQL, not C++.
- Limit TigerGraph’s access to networks that contain sensitive data. As a TigerGraph cluster is able to run arbitrary code, it is wise to ensure that network traffic from and to it is restricted.