Grafana has issued security patches for several versions of its software to address a critical vulnerability, CVE-2023-3128, which enables attackers to bypass authentication and take control of any Grafana account that uses Azure Active Directory (AD) for authentication. Grafana is a popular open-source analytics and interactive visualization application that provides extensive integration options with numerous monitoring platforms and applications. Its premium version, Grafana Enterprise, is utilized by prominent organizations such as Wikimedia, Bloomberg, JP Morgan Chase, eBay, PayPal, and Sony.
The account takeover vulnerability has been assigned a CVSS v3.1 score of 9.4, indicating critical severity. The issue arises from Grafana authenticating Azure AD accounts based on the email address configured in the associated 'profile email' setting. This setting, however, is not unique across all Azure AD tenants, allowing threat actors to create Azure AD accounts with the same email address as legitimate Grafana users and subsequently hijack accounts. According to Grafana's advisory, "This can enable a Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application." If exploited, attackers can gain full control over a user's account, including access to private customer data and sensitive information.
The vulnerability affects all Grafana deployments configured to use Azure AD OAuth for user authentication with a multi-tenant Azure application and without restrictions on which user groups can authenticate (via the 'allowed_groups' configuration). It is present in all Grafana versions from 6.7.0 onwards. However, the software vendor has released fixes for branches 8.5, 9.2, 9.3, 9.5, and 10.0.
Grafana Cloud has already been updated to the latest versions, as the vendor has collaborated with cloud providers like Amazon and Microsoft, who were informed about the issue under embargo. For those unable to upgrade their Grafana instances to a secure version, the bulletin recommends two mitigations.
Grafana's bulletin also provides guidance for addressing issues that may arise in specific use-case scenarios due to changes introduced by the latest patch. Users are advised to consult the advisory if they encounter "user sync failed" or "user already exists" errors.