Grafana has released security updates to address an authentication bypass/account takeover vulnerability. CVE-2023-3128 has been rated as critical with a CVSSv3.1 base score of 9.4. Successful exploitation of the vulnerability will allow an attacker to gain complete control of a user’s account, including access to private customer data and sensitive information.
Grafana is a multi-platform open-source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.
Vulnerability Details
Grafana validates Azure Active Directory (AD) accounts based on the email claim. The profile email field on Azure AD is not unique across Azure AD tenants. When Azure AD OAuth is set up with a multi-tenant Azure AD OAuth application, this can enable a Grafana account takeover and authentication bypass.
An attacker may exploit this vulnerability to access private customer data and sensitive information of a user’s account. All users in Grafana deployments with Azure AD OAuth configured with a multi-tenant Azure app without the allowed_groups configuration are affected by the vulnerability and can be compromised.
Affected Versions
All installations for Grafana versions 6.7.0 and later are affected by the vulnerability.
Mitigation
Customers must upgrade to Grafana 10.0.1, 9.5.5, 9.4.13, 9.3.16, 9.2.20, and 8.5.27 to patch the vulnerability. Grafana Cloud has already been upgraded to the latest version.
For more information, please refer to the Grafana security advisory.
Workaround
- Adding allowed_groups configuration to the Azure AD configuration would ensure that when a user is signing in, they are also a member of a group in Azure AD. This would ensure that an attacker can’t use an arbitrary email.
- Registering a single-tenant application in Azure AD would prevent the attack vector.
Qualys Detection
Qualys customers can scan their devices with QIDs 993481, 691197, and 730833 to detect vulnerable assets.
QID 730833 sends an HTTP GET request and retrieves a vulnerable version of Grafana running on the target application.
The QID 993481 will be available to customers who subscribe to the SCA (Software Composition Analysis) product. SCA (Software Composition Analysis) is currently available for Container Security.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://grafana.com/blog/2023/06/22/grafana-security-release-for-cve-2023-3128/