CVE-2023-36649
📋 TL;DR
CVE-2023-36649 allows attackers to obtain JWT tokens from Grafana logs or Loki REST API in ProLion CryptoSpike 3.0.15P2. With these tokens, attackers can impersonate legitimate users in web management and REST API. This affects organizations using the vulnerable CryptoSpike version with Grafana logging enabled.
💻 Affected Systems
- ProLion CryptoSpike
📦 What is this software?
Cryptospike by Prolion
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain administrative access, manipulate cryptographic controls, exfiltrate sensitive data, and disrupt operations.
Likely Case
Unauthorized access to management interfaces leading to data exposure, configuration changes, and privilege escalation.
If Mitigated
Limited impact with proper network segmentation, monitoring, and access controls preventing token reuse.
🎯 Exploit Status
Exploitation requires reading logs via Grafana interface or accessing Loki REST API endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.16 or later
Vendor Advisory: https://www.prolion.com/security-advisories
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download and install CryptoSpike 3.0.16+ from ProLion support portal. 3. Apply configuration changes if needed. 4. Restart CryptoSpike services. 5. Verify JWT tokens are no longer logged.
🔧 Temporary Workarounds
Disable Grafana logging for sensitive data
linuxConfigure Grafana to exclude JWT tokens and authentication headers from logs
Edit Grafana configuration to filter out Authorization headers and JWT tokens from log output
Restrict Loki API access
linuxImplement network access controls to restrict unauthorized access to Loki REST API
iptables -A INPUT -p tcp --dport 3100 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 3100 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate CryptoSpike management interfaces
- Enable detailed logging and monitoring for unauthorized access attempts to Loki API or Grafana logs
🔍 How to Verify
Check if Vulnerable:
Check if Grafana logs contain JWT tokens or if Loki API is accessible without authentication on port 3100Check Version:
cryptospike --version | grep 'CryptoSpike'Verify Fix Applied:
Verify JWT tokens are no longer present in Grafana logs and Loki API requires proper authentication📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to /loki/api/v1/query
- Multiple failed authentication attempts followed by successful login with different user agent
- JWT token reuse from different IP addresses
Network Indicators:
- Unusual traffic to port 3100 (Loki API) from unauthorized sources
- Multiple authentication requests in short timeframes
SIEM Query:
source="grafana-logs" AND "Authorization: Bearer" OR destination_port=3100 AND NOT source_ip IN (trusted_networks)