On the TigerGraph platform, the credentials of each user (including the administrative user) are persistently stored in the platform log files every time they are used to perform a HTTP authentication. The security implications of this are:
- The TigerGraph platform unwittingly harvests the credentials of every active user.
- CVE-2023-22950demonstrates that a user with relatively low-level of privilege is able to access and exfiltrate these credentials.
- The administrative user has unrestricted access to the credentials of every user.
ImpactSevere. It also increases the severity of CVE-2022-30331 as it provides an exploitable attack vector for obtaining the login credentials of the administrative user.
- TigerGraph Enterprise Free Edition 3.7.0 Docker Image
- TigerGraph Enterprise Free Edition 3.7.0
- TigerGraph Cloud
Steps to Reproduce
Download and Run TigerGraphUsing docker download at the latest TigerGraph image and start the server: 1.) Optional: clean-up old TigerGraph docker images and obtain the latest version:
docker rm tigergraph docker pull docker.tigergraph.com/tigergraph:latest2.) Download and run the docker image (note: we do not need to attach a volume):
docker run -d \ -p 14022:22 \ -p 9000:9000 \ -p 14240:14240 \ --name tigergraph \ --ulimit nofile=1000000:1000000 \ -t docker.tigergraph.com/tigergraph:latest3.) Once the container has started, connect to it via ssh (note: the default password is ‘tigergraph’):
ssh -p 14022 tigergraph@localhost4.) Start all TigerGraph services:
gadmin start all5.) Create a test graph (to enable us to define a user with designer permissions)
gsql "create graph test()"6.) Create a user — `alice` — with minimal privileges using GSQL:
gsql "create user" User Name : alice New Password : ***** Re-enter Password : *****7.) Grant privileges to Alice:
gsql "grant role designer on graph test to alice"8.) Change the default password for the
gsql "alter password"9.) Enable RESTPP authentication
gadmin config set RESTPP.Factory.EnableAuth true gadmin config apply -y gadmin restart restpp nginx gui gsql -y
Simulate User BehaviorIn order for us to see user credentials in the logs we need to generate some by simulating some typical user behavior. To do this we will use GraphStudio – TigerGraph’s web interface – to perform a number of common actions. Note: that you should simulate behavior for a range of different users (including the administrative user). To open GraphStudio browse to
https://localhost:1420in your web browser and login using the credentials for either
tigergraph.To make sure that a HTTP authentication takes place do one or more of the following actions for each user:
Change The Database Schema
- In GraphStudio, click on “Design Schema” on the left-hand side
- Click on the plus icon to create a new vertex type
- Approve the changes by clicking on the green tick in the top-right-hand corner
- Publish the schema changes by clicking on the document icon in the toolbar.
Create A New Query
- In GraphStudio, click on “Write Queries” on the left-hand side.
- Create a new query by clicking the plus icon in the middle of the view.
- In the popup dialog enter a unique name and save the query
- Install the automatically generated GSQL by clicking on the upload icon.
Obtaining GSQL Login CredentialsThe easiest way to view the stored login credentials is to use the AdminPortal (that is co-located with GraphStudio) to do this follow the following steps:
- Log into GraphStudio as the
tigergraphuser (you may need to log-out first and then log back in).
- Click on the “Admin” button on the top-right corner to switch into the AdminPortal.
Basic“ (including the extra space) and 4.) Click “Search”. 5.) Locate any base64 encoded credentials in the logs — they look like the following text:
"auth":"Basic dGlnZXJncmFwaDp0aWdlcmdyYXBo"6.) Decode the credentials, for example using the base64 command in a linux terminal like so:
echo dGlnZXJncmFwaDp0aWdlcmdyYXBo | base64 -d tigergraph:tigergraphNote: the resulting plaintext is in the form: username:password.