In a bid to strengthen the protection of its users' accounts, Grafana has recently rolled out a set of crucial security updates. These updates specifically target multiple versions of the application and successfully tackle a notable vulnerability that allowed malicious actors to circumvent authentication measures. By leveraging this vulnerability, attackers were able to seize control of any Grafana account using Azure Active Directory for authentication. The implementation of these security fixes marks a significant step towards bolstering the overall integrity of Grafana's user base.
Grafana is an extensively utilised open-source analytics and interactive visualisation application that provides a broad array of integration possibilities with various monitoring platforms and applications.
Renowned organisations like Wikimedia, Bloomberg, JP Morgan Chase, eBay, PayPal, and Sony utilise Grafana Enterprise, the premium version of the application, which offers enhanced features and capabilities.
The identified account takeover vulnerability, assigned as CVE-2023-3128, has been given a critical severity rating with a CVSS v3.1 score of 9.4.
The bug occurs when Grafana authenticates Azure AD accounts using the email address set in the corresponding 'profile email' configuration. However, this setting lacks uniqueness across Azure AD tenants, enabling malicious actors to create Azure AD accounts with identical email addresses as legitimate Grafana users. This allows them to exploit these accounts and gain unauthorised access.
According to Grafana's advisory, if Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application, this can lead to the possibility of a Grafana account takeover and authentication bypass.
In the event of exploitation, the attacker can attain full control over a user's account, granting them access to private customer data and sensitive information.
Swiftly resolved with a patch update
The vulnerability affects all Grafana deployments that utilise Azure AD OAuth for user authentication, specifically those using a multi-tenant Azure application without restrictions on authenticated user groups (via the 'allowed_groups' configuration).
This security issue is present in Grafana versions 6.7.0 and onwards. However, the software vendor has promptly released fixes for various branches, including versions 8.5, 9.2, 9.3, 9.5, and 10.0.
To address this vulnerability, it is recommended to upgrade to the following versions:
- Grafana 10.0.1 or a later release
- Grafana 9.5.5 or a later release
- Grafana 9.4.13 or a later release
- Grafana 9.3.16 or a later release
- Grafana 9.2.20 or a later release
- Grafana 8.5.27 or a later release
Notably, Grafana Cloud has already undergone upgrades to the latest versions. The software vendor has worked in collaboration with cloud providers, such as Amazon and Microsoft, who received early notification about the vulnerability under embargo.
For users unable to upgrade their Grafana instances to a secure version, the bulletin outlines two recommended mitigations:
1. Register a single tenant application in Azure AD: By doing so, login attempts from external tenants (i.e., individuals outside the organisation) can be prevented.
2. Implement an "allowed groups" configuration in Azure AD settings: This configuration restricts sign-in attempts to members of a specific, white-listed group, effectively rejecting any attempts made using an arbitrary email.
In addition to the mitigations, Grafana's bulletin offers guidance for addressing potential issues that may arise in specific use-case scenarios due to the latest patch's introduced changes. If encountering errors such as "user sync failed" or "user already exists," it is recommended to refer to the advisory for appropriate resolution steps.
In conclusion
The vulnerabilities and mitigations discussed regarding Grafana deployments highlight the importance of robust security measures in protecting sensitive data and preventing unauthorised access. A cybersecurity company can play a crucial role in assisting organisations in addressing these challenges.
By conducting vulnerability assessments, a cybersecurity company can identify potential security gaps in Grafana instances and provide recommendations for remediation. Patch management services ensure that organisations can safely upgrade to secure versions, minimising the risk of exploitation. Additionally, a security architecture review helps identify and address potential risks and misconfigurations.
Configuration hardening services help organisations implement secure settings and access controls, strengthening the overall security posture. Incident response planning ensures that organisations have well-defined processes to effectively respond to security incidents, minimising the impact and facilitating recovery.
Cybersecurity companies also offer employee training and awareness programs, educating users about account takeover risks, phishing prevention, and secure practices. Ongoing monitoring and threat intelligence services help organisations stay vigilant against emerging threats and vulnerabilities, enabling timely detection and response.
Engaging a cybersecurity company can provide organisations with the expertise, tools, and guidance necessary to enhance their overall security when implementing plugins and website add-ons. By leveraging their knowledge and experience, organisations can effectively mitigate risks, safeguard sensitive data, and maintain a robust security posture in the face of evolving cyber threats.
