Grafana has released security patches for several versions of its app, fixing a vulnerability that allows attackers to bypass authentication and take control of any Grafana account that uses Azure Active Directory for authentication.
Grafana is a widely used open source interactive analysis and visualization application that offers extensive integration options with a wide range of monitoring platforms and applications.
Grafana Enterprise, the premium version of the app with additional features, is used by well-known organizations such as Wikimedia, Bloomberg, JP Morgan Chase, eBay, PayPal, and Sony.
Discovered account takeover vulnerability is tracked as CVE-2023-3128 and received a CVSS v3.1 score of 9.4, qualifying it as critical.
The bug is caused by Grafana authenticating Azure AD accounts based on the email address configured in the associated “profile email” setting. However, this setting is not unique for all Azure AD tenants, allowing hackers to create Azure AD accounts with the same email address as legitimate Grafana users and use them to hack accounts.
“This may enable Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application,” it reads. Review by Grafana.
“If exploited, the attacker can gain full control of a user’s account, including access to private customer data and sensitive information.”
Grafana cloud already patched
The issue affects all Grafana deployments configured to use Azure AD OAuth for user authentication with a multi-tenancy Azure application and without restrictions on which user groups can authenticate (via the “allowed_groups” configuration).
The vulnerability is present on all versions of Grafana from 6.7.0 and later, but the software vendor has released patches for branches 8.5, 9.2, 9.3, 9.5 and 10.0.
The recommended versions to upgrade to to resolve the security issue are:
- Grafana 10.0.1 or later
- Grafana 9.5.5 or later
- Grafana 9.4.13 or later
- Grafana 9.3.16 or later
- Grafana 9.2.20 or later
- Grafana 8.5.27 or later
Grafana Cloud has already been upgraded to the latest versions, as the provider coordinated with cloud providers like Amazon and Microsoft, who received early notification of the embargoed issue.
For those unable to upgrade their Grafana instances to a secure version, the bulletin suggests the following two mitigations:
- Register a single-tenant app in Azure AD, which should prevent login attempts from external tenants (people outside the organization).
- Add an “allowed_groups” configuration to Azure AD settings to limit login attempts to members of a whitelisted group, thereby automatically rejecting all attempts using an arbitrary email.
Grafana’s bulletin also includes tips for dealing with issues that may arise in specific usage scenarios due to changes introduced by the latest hotfix, so be sure to read the advisory if you get “failure to complete” errors. user synchronization” or “user already exists”.