New security patch for critical Grafana authentication bypass vulnerability

Target Industry

Indiscriminate, opportunistic attacks.

Overview

Grafana Labs have released an update for their analytics and visualisation application that addresses a critical authentication bypass vulnerability due to the way Grafana interacts with Azure Active Directory (AAD).

The vulnerability is caused by the profile email field in the application, which is not unique across AAD tenants, for validating accounts which can allow a threat actor to gain full access to an account.

No evidence is available at the time of writing that the vulnerability has been actively exploited. It is currently tracked as CVE-2023-3128.

Impact

Through successful execution of this vulnerability, it would allow a threat actor to gain full control over a chosen account and allow the use of all functionalities associated with the account. This would allow access to sensitive data on other accounts or customer data and allow for data exfiltration for monetary gain or leverage for further exploitation.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against threats. EDRs can alert system users of potential breaches and prevent further progress, prior to the malware being able to implement significant damage.

Affected Products

Grafana version 6.7.0 and greater.

Containment, Mitigations & Remediations

As mentioned previously, it is recommended that an EDR solution is implemented which will allow for the prevention or mitigation of potential attacks from a wide range of threats in real time.

All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Grafana occupies a significant proportion of the virtualisation market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Grafana products are a prime target for threat actors. Due to the fact that the application is used to visualise potentially sensitive data, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive information contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Initial Access

T1195 – Supply Chain Compromise

Further Information

Grafana security release: New versions of Grafana with a critical security fix for CVE-2023-3128