Alert for CVE-2022-30331

Type: Security

Original date: June 2022

In May 2022, CVE-2022-30331 was filed as a vulnerability with an 8.8 severity score affecting TigerGraph’s User-Defined Functions (UDF) feature.

TigerGraph has disputed this vulnerability, as the basis of the claim merely states that a privileged user could write code within TigerGraph that might introduce a vulnerability in a query accessible to other authenticated users.

Background

One of the key benefits of using TigerGraph is the ability to create custom functions (UDFs) in native C++ for high-speed data-manipulation. These functions are then made available to all users for implementation in their query operations. As C++ is a powerful, low-level programming language, it is expected that anyone who writes or installs code is familiar with secure coding practices and careful to review any code from outside sources before implementation. By default, only users with the superuser role are allowed access to install UDFs, ensuring that any code installed is properly reviewed by an administrator at the appropriate level. Configuration controls are also available to ensure UDFs are pulled from a trusted administrator repository if the feature to store UDFs on GitHub is leveraged.

The remainder of the CVE details various malicious actions leveraging the custom C++ code in the UDF. None of these actions are possible with the proper superuser password configured and review of code by the superuser.

Root causes

These are the root causes of the exploitation detailed in the CVE:

  • The default superuser did not configure their password to enable authentication.

  • The superuser installed malicious/insecure code which allowed any user to execute a shell command.

Best practices to secure your deployment

The following best practices should always be followed to ensure your environment is secured:

  • Credentials should be properly configured. Default credentials/passwords is #5 in the OWASP Top 10 list of vulnerabilities.

  • By default, only superusers have the WRITE_FILE privilege, which permits the installation of UDFs. Only users trusted to review and install custom code should be given this privilege.

  • Superusers should treat UDFs as developed software. We recommend utilizing the Secure Software Development Life Cycle processes, including static code analysis and appropriate code reviews, prior to installing them on a TigerGraph deployment.

  • If GSQL is configured to read from a GitHub repository for UDFs, ensure that the repository is properly secured, and the hosted code and any future changes are reviewed by system administrators prior to installing them on a TigerGraph deployment.

Remediations

Blocking UDF Uploading (v3.8.0+)

There are two possible ways for a user to upload a UDF. Starting with TigerGraph 3.8.0, both of those methods are disabled by default. Each of them can only be enabled by a user with administrator privilege using the gadmin command. For more details, see Upload UDFs.

UDF File Scanning (v3.9.0+)

TigerGraph 3.9.0 introduced a set of checks and restrictions, collectively known as UDF File Scanning, which block certain C++ code from being loaded. This feature, enabled by default, scans the UDF source code to ensure that each UDF complies with the security policies. UDFs which do not satisfy all the restrictions are blocked from being compiled and run. For full details, see TigerGraph documentation for UDF file scanning.

  • Feature blocklist. C++ headers and features in this private, non-modifiable list are blocked from use.

  • File header allowlist. Only headers present in the allowlist can be included in UDF files. The default list (see UDF file scanning) can only be modified with a gadmin config set command by the system administrator.

  • Macros with replacement are disabled.

The security of your data is paramount to us, and we are continually looking for ways to improve our product to make sure it stays safe.