CVE-2022-24853 is a medium-severity vulnerability affecting Metabase, an open-source business intelligence and analytics platform widely used for data visualization and reporting. The vulnerability arises from Metabase's proxy functionality designed to load arbitrary URLs for JSON maps as part of its GeoJSON support. Although Metabase implements validation to prevent returning contents from arbitrary URLs, a crafted request can bypass these protections on Windows systems, leading to unauthorized file access. This flaw enables an attacker to perform an NTLM relay attack, which can capture the system's password hash. NTLM relay attacks exploit the Windows NT LAN Manager authentication protocol by intercepting and relaying authentication requests, potentially allowing attackers to impersonate legitimate users or escalate privileges. The vulnerability specifically affects Metabase versions from 0.40.0 up to but not including 0.40.7, 0.41.0 up to 0.41.6, 1.40.0 up to 1.40.7, 1.41.0 up to 1.41.6, 1.42.0 up to 1.42.3, and 0.42.0 up to 0.42.3. The issue is mitigated in patched versions 0.40.8, 0.41.7, 0.42.4, 1.40.8, 1.41.7, and 1.42.4 or later. Exploitation requires the target to be running Metabase on Windows, and the attack vector involves sending specially crafted requests to the proxy component. While no known exploits are reported in the wild, the potential for sensitive credential exposure and NTLM relay attacks makes this a significant concern for affected environments. Immediate patching is recommended to prevent unauthorized access and credential theft.

For European organizations using Metabase on Windows platforms, this vulnerability poses a risk of sensitive information exposure, specifically the leakage of system password hashes via NTLM relay attacks. Such exposure can lead to credential theft, lateral movement within networks, privilege escalation, and ultimately compromise of critical business intelligence data and infrastructure. Given that Metabase is often integrated with sensitive corporate data and analytics, unauthorized access could result in data breaches, loss of data integrity, and disruption of business operations. The impact is heightened in environments where Windows authentication is heavily relied upon and where NTLM authentication is enabled without additional protections such as SMB signing or extended security measures. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, may face regulatory and reputational consequences if this vulnerability is exploited. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits targeting this vulnerability. Therefore, European organizations should prioritize remediation to maintain confidentiality, integrity, and availability of their analytics platforms and associated data.

1. Immediate upgrade of Metabase installations on Windows to patched versions 0.40.8, 0.41.7, 0.42.4, 1.40.8, 1.41.7, 1.42.4 or later to eliminate the vulnerability. 2. Disable or restrict the GeoJSON proxy feature if not required, reducing the attack surface. 3. Implement network segmentation and firewall rules to limit access to Metabase servers, especially restricting inbound traffic to trusted sources. 4. Enforce SMB signing and disable NTLM authentication where possible to mitigate NTLM relay attack vectors at the network protocol level. 5. Monitor network traffic for unusual NTLM authentication attempts or relay activity using intrusion detection systems or endpoint monitoring tools. 6. Conduct regular audits of Metabase configurations and Windows security settings to ensure adherence to best practices. 7. Educate system administrators about the risks of NTLM relay attacks and the importance of patch management. 8. Employ multi-factor authentication (MFA) for administrative access to Metabase and related systems to reduce the impact of credential compromise. These steps go beyond generic patching advice by addressing the specific NTLM relay attack vector and the Windows environment context.