CVE-2023-3128: Grafana Account Takeover Vulnerability
A recent security vulnerability was discovered in Grafana, one of the leading open-source platforms for analytics and visualization. The security flaw, designated as CVE-2023-3128 and rated a highly critical 9.4 on the CVSS scale, has the potential to allow an attacker to bypass authentication procedures and take over a user’s account.
In essence, CVE-2023-3128 is an account takeover or authentication bypass vulnerability within Grafana. This open-source platform offers user-friendly and visually appealing tools for data analysis and visualization, serving a diverse range of users from small-scale projects to massive enterprise-level deployments.
At the heart of this vulnerability is Grafana’s validation process. Specifically, when used in conjunction with Azure Active Directory (Azure AD) OAuth, Grafana validates Azure AD accounts based on their email claim. Here lies the problem. The profile email field is not unique across Azure AD tenants, opening up the potential for one Azure AD tenant to impersonate another by using an identical email.
The potential ramifications of this vulnerability are vast and troubling. Attackers exploiting this security flaw could gain full control over a user’s account, opening the doors to sensitive customer data and other critical information.
The vulnerability primarily affects Grafana deployments utilizing Azure AD OAuth configured with a multi-tenant Azure AD OAuth application and without an allowed_groups configuration. If you’re running Grafana versions 6.7.0 or later, it’s time to take immediate action.
The Grafana team responded swiftly to this pressing concern and patched the vulnerability in versions 10.0.1, 9.5.5, 9.4.13, 9.3.16, 9.2.20, and 8.5.27. If your Grafana instance belongs to these versions or later, you’re protected.
But what if an upgrade isn’t immediately feasible? Fortunately, there are mitigation solutions available. First, adding an allowed_groups configuration to your Azure AD setup will ensure that a user signing in also belongs to a group in Azure AD. This measure effectively reduces the risk of an attacker leveraging an arbitrary email.
Alternatively, registering a single tenant application in Azure AD effectively eliminates the attack vector, as this prevents the opportunity for cross-tenant impersonation.