June 26, 2023

Grafana has released a security patch for a critical Authentication Bypass vulnerability found in multiple versions of its application.

This vulnerability allows attackers to bypass authentication and gain control over any Grafana account that uses Azure Active Directory OAuth with a multi-tenant Azure application and that do not have allowed_groups configured.

Grafana is a widely used open-source analytics and visualization app with extensive integration options, which has a wide range of platforms and applications.

The Vulnerability

• CVE-2023-3128 (CVSS 3.1: 9.4, Critical) – Authentication Bypass vulnerability, arises from Grafana’s validation process of Azure Active Directory accounts, which is based on the not unique profile email field across Azure AD tenants. Exploiting this vulnerability grants threat actors complete control over user accounts, including access to private customer data and sensitive information..

Affected Products

• All Grafana versions from 6.7.0 and later.
• Grafana Cloud has already been upgraded to the latest versions.

Mitigation and Workaround

CYREBRO recommends updating software installations to the latest versions.

If you cannot upgrade your Grafana instances to a secure version, please review the following workarounds:

1. Register a single tenant application in Azure AD, which should prevent any login attempts from external tenants (people outside the organization).
2. Add an “allowed_groups” configuration to the Azure AD settings to limit the sign-in attempts to members of a white-listed group, hence automatically rejecting all attempts using an arbitrary email.

References: Grafana Advisory