Grafana has released security fixes for multiple versions of its application, addressing a vulnerability that enables attackers to bypass authentication and take over any Grafana account that uses Azure Active Directory for authentication.
Grafana is a widely used open-source analytics and interactive visualization app that offers extensive integration options with a wide range of monitoring platforms and applications.
Grafana Enterprise, the app’s premium version with additional capabilities, is used by well-known organizations such as Wikimedia, Bloomberg, JP Morgan Chase, eBay, PayPal, and Sony.
The discovered account takeover vulnerability is tracked as CVE-2023-3128 and received a CVSS v3.1 score of 9.4, rating it critical severity.
The bug is caused by Grafana authenticating Azure AD accounts based on the email address configured in the associated ‘profile email’ setting. However, this setting is not unique across all Azure AD tenants, allowing threat actors to create Azure AD accounts with the same email address as legitimate Grafana users and use them to hijack accounts.
“This can enable a Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application,” reads Grafana’s advisory.
“If exploited, the attacker can gain complete control of a user’s account, including access to private customer data and sensitive information.”
Grafana cloud already patched
The issue impacts all Grafana deployments configured to use Azure AD OAuth for user authentication with a multi-tenant Azure application and without restrictions on which user groups can authenticate (via the ‘allowed_groups’ configuration).
The vulnerability is present on all Grafana versions from 6.7.0 and later, but the software vendor released fixes for branches 8.5, 9.2, 9.3, 9.5, and 10.0.
The recommended versions to upgrade to to address the security issue are:
- Grafana 10.0.1 or later
- Grafana 9.5.5 or later
- Grafana 9.4.13 or later
- Grafana 9.3.16 or later
- Grafana 9.2.20 or later
- Grafana 8.5.27 or later
Grafana Cloud has already been upgraded to the latest versions, as the vendor has coordinated with cloud providers like Amazon and Microsoft, who received early notification about the issue under embargo.
For those who cannot upgrade their Grafana instances to a secure version, the bulletin suggests the following two mitigations:
- Register a single tenant application in Azure AD, which should prevent any login attempts from external tenants (people outside the organization).
- Add an “allowed_groups” configuration to the Azure AD settings to limit the sign-in attempts to members of a white-listed group, hence automatically rejecting all attempts using an arbitrary email.
Grafana’s bulletin also includes guidance for dealing with problems that may arise on specific use-case scenarios due to changes introduced by the latest patch, so make sure to read the advisory if you get “user sync failed” or “user already exists” errors.