Get in Touch
Indiscriminate, opportunistic attacks.
Grafana Labs have released an update for their analytics and visualisation application that addresses a critical authentication bypass vulnerability due to the way Grafana interacts with Azure Active Directory (AAD).
The vulnerability is caused by the profile email field in the application, which is not unique across AAD tenants, for validating accounts which can allow a threat actor to gain full access to an account.
No evidence is available at the time of writing that the vulnerability has been actively exploited. It is currently tracked as CVE-2023-3128.
Through successful execution of this vulnerability, it would allow a threat actor to gain full control over a chosen account and allow the use of all functionalities associated with the account. This would allow access to sensitive data on other accounts or customer data and allow for data exfiltration for monetary gain or leverage for further exploitation.
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against threats. EDRs can alert system users of potential breaches and prevent further progress, prior to the malware being able to implement significant damage.
Grafana version 6.7.0 and greater.
Containment, Mitigations & Remediations
As mentioned previously, it is recommended that an EDR solution is implemented which will allow for the prevention or mitigation of potential attacks from a wide range of threats in real time.
All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
Grafana occupies a significant proportion of the virtualisation market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Grafana products are a prime target for threat actors. Due to the fact that the application is used to visualise potentially sensitive data, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive information contained therein.
No attribution to specific threat actors or groups has been identified at the time of writing.
T1195 – Supply Chain Compromise