When authentication uses sender email addresses, you should assume you’ve been breached.
In a critical advisory put out by Grafana, the popular open-source data analytics visualization application has been validating some users by their email claim. Grafana offers extensive integration options with a wide range of monitoring platforms and applications.
“Grafana validates Azure Active Directory accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants. This can enable a Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application.
“If exploited, the attacker can gain complete control of a user’s account, including access to private customer data and sensitive information. All users in Grafana deployments with Azure AD OAuth configured with a multi-tenant Azure app and that do not have allowed_groups configured are affected and can be compromised.”
According to Wikipedia, Grafana has over 1,000 paying customers, including well known organizations such as Wikimedia, Bloomberg, JP Morgan Chase, eBay, PayPal, and Sony.
Grafana has released security fixes for the vulnerability tracked as CVE-2023-3128. The vuln received a CVSS v3.1 score of 9.4, a critical severity.
Roy Akerman, Co-Founder & CEO, Rezonate said this:
“This critical vulnerability reported by Grafana introduces a major risk to organizations, their identities and data. Most often account takeover requires higher privileges to successfully being exploited, however in this case we see the simplicity of which a bad practice of AAD implementation allows an attacker to assume any user available. The risk of false impersonation however does not only exist in AAD and most probably not only for Grafana and therefore, the need, to monitor access attempts and compare past behavior information is needed to monitor for any suspicious access attempts.”
If you use Grafana, you should apply the patch related to this ASAP. Because given what this product does, it’s safe to assume that threat actors will attack those who have not applied the patch related to this issue.
Like this:
Like Loading...
Related
This entry was posted on June 26, 2023 at 2:46 pm and is filed under Commentary with tags Grafana. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Grafana Critical Authentication Bypass Due To Azure AD Integration
When authentication uses sender email addresses, you should assume you’ve been breached.
In a critical advisory put out by Grafana, the popular open-source data analytics visualization application has been validating some users by their email claim. Grafana offers extensive integration options with a wide range of monitoring platforms and applications.
“Grafana validates Azure Active Directory accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants. This can enable a Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application.
“If exploited, the attacker can gain complete control of a user’s account, including access to private customer data and sensitive information. All users in Grafana deployments with Azure AD OAuth configured with a multi-tenant Azure app and that do not have allowed_groups configured are affected and can be compromised.”
According to Wikipedia, Grafana has over 1,000 paying customers, including well known organizations such as Wikimedia, Bloomberg, JP Morgan Chase, eBay, PayPal, and Sony.
Grafana has released security fixes for the vulnerability tracked as CVE-2023-3128. The vuln received a CVSS v3.1 score of 9.4, a critical severity.
Roy Akerman, Co-Founder & CEO, Rezonate said this:
“This critical vulnerability reported by Grafana introduces a major risk to organizations, their identities and data. Most often account takeover requires higher privileges to successfully being exploited, however in this case we see the simplicity of which a bad practice of AAD implementation allows an attacker to assume any user available. The risk of false impersonation however does not only exist in AAD and most probably not only for Grafana and therefore, the need, to monitor access attempts and compare past behavior information is needed to monitor for any suspicious access attempts.”
If you use Grafana, you should apply the patch related to this ASAP. Because given what this product does, it’s safe to assume that threat actors will attack those who have not applied the patch related to this issue.
Share this:
Like this:
Related
This entry was posted on June 26, 2023 at 2:46 pm and is filed under Commentary with tags Grafana. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.