On the TigerGraph platform, the credentials of each user (including the administrative user) are persistently stored in the platform log files every time they are used to perform a HTTP authentication. The security implications of this are:
  1. The TigerGraph platform unwittingly harvests the credentials of every active user.
  2. CVE-2023-22950demonstrates that a user with relatively low-level of privilege is able to access and exfiltrate these credentials.
  3. The administrative user has unrestricted access to the credentials of every user.
These issues undermine the integrity of the TigerGraph’s access control system because user credentials are easily obtained.

Impact

Severe. It also increases the severity of CVE-2022-30331 as it provides an exploitable attack vector for obtaining the login credentials of the administrative user.

Products/Versions Affected

  • TigerGraph Enterprise Free Edition 3.7.0 Docker Image
  • TigerGraph Enterprise Free Edition 3.7.0
  • TigerGraph Cloud
We suspect that this vulnerability is present in all TigerGraph products (although this is not confirmed).

Steps to Reproduce

Download and Run TigerGraph

Using docker download at the latest TigerGraph image and start the server: 1.) Optional: clean-up old TigerGraph docker images and obtain the latest version: 
docker rm tigergraph
docker pull docker.tigergraph.com/tigergraph:latest
  2.) Download and run the docker image (note: we do not need to attach a volume): 
docker run -d \
-p 14022:22 \
-p 9000:9000 \
-p 14240:14240 \
--name tigergraph \
--ulimit nofile=1000000:1000000 \
-t docker.tigergraph.com/tigergraph:latest
  3.) Once the container has started, connect to it via ssh (note: the default password is ‘tigergraph’): 
ssh -p 14022 tigergraph@localhost
  4.) Start all TigerGraph services: 
gadmin start all
  5.) Create a test graph (to enable us to define a user with designer permissions) 
gsql "create graph test()"
  6.) Create a user — `alice` — with minimal privileges using GSQL: 
gsql "create user"
User Name : alice
New Password : *****
Re-enter Password : *****
  7.) Grant privileges to Alice: 
gsql "grant role designer on graph test to alice"
  8.) Change the default password for the tigergraph user: 
gsql "alter password"
  9.) Enable RESTPP authentication 
gadmin config set RESTPP.Factory.EnableAuth true
gadmin config apply -y
gadmin restart restpp nginx gui gsql -y
 

Simulate User Behavior

In order for us to see user credentials in the logs we need to generate some by simulating some typical user behavior. To do this we will use GraphStudio – TigerGraph’s web interface – to perform a number of common actions. Note: that you should simulate behavior for a range of different users (including the administrative user). To open GraphStudio browse to https://localhost:1420 in your web browser and login using the credentials for either alice or tigergraph. To make sure that a HTTP authentication takes place do one or more of the following actions for each user:

Change The Database Schema

  1. In GraphStudio, click on “Design Schema” on the left-hand side
  2. Click on the plus icon to create a new vertex type
  3. Approve the changes by clicking on the green tick in the top-right-hand corner
  4. Publish the schema changes by clicking on the document icon in the toolbar.

Create A New Query

  1. In GraphStudio, click on “Write Queries” on the left-hand side.
  2. Create a new query by clicking the plus icon in the middle of the view.
    1. In the popup dialog enter a unique name and save the query
  3. Install the automatically generated GSQL by clicking on the upload icon.

Obtaining GSQL Login Credentials

The easiest way to view the stored login credentials is to use the AdminPortal (that is co-located with GraphStudio) to do this follow the following steps:
  1. Log into GraphStudio as the tigergraph user (you may need to log-out first and then log back in).
  2. Click on the “Admin” button on the top-right corner to switch into the AdminPortal.
Once in the AdminPortal follow the following steps to locate the credentials in the log files: 1.) On the left-hand side expand the “Monitor” menu 2.) Click on “Logs” to open the log viewer. 3.) In the “Pattern” textbox enter the text “Basic “ (including the extra space) and 4.) Click “Search”. 5.) Locate any base64 encoded credentials in the logs — they look like the following text: 
"auth":"Basic dGlnZXJncmFwaDp0aWdlcmdyYXBo"
6.) Decode the credentials, for example using the base64 command in a linux terminal like so: 
echo dGlnZXJncmFwaDp0aWdlcmdyYXBo | base64 -d
tigergraph:tigergraph
Note: the resulting plaintext is in the form: username:password.