Grafana Patches Critical Azure AD Authentication Bypass Vulnerability


Grafana has recently released new security updates to patch a critical vulnerability in its application. The flaw could enable threat actors to hijack Grafana accounts that use Azure Active Directory (recently renamed Microsoft Entra ID) for authentication.

Grafana is a popular analytics and visualization service that enables IT admins to monitor and analyze time-series data. It provides access to real-time dashboards with interactive charts, graphs, and notifications. Grafana helps organizations to gain insights into the performance of their systems, visualize metrics, and monitor key performance indicators.

The critical security vulnerability (tracked as CVE-2023-3128) received a CVSS v3.1 score of 9.4. Grafana mentioned that the flaw exists in the email claim-based validation of Azure AD accounts.

“Grafana validates Azure Active Directory accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants. This can enable a Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application,” Grafana explained in a security advisory.

Upgrade to the latest Grafana version

Grafana confirmed that the security flaw impacts all deployments that leverage Azure AD OAuth to authenticate users. It’s highly recommended that customers should upgrade to Grafana 10.0.1 or later to protect their organizations against cyberattacks. The company has also collaborated with Microsoft, Amazon, and other cloud vendors to upgrade Grafana Cloud to the latest version.

Meanwhile, Grafana detailed a couple of mitigation strategies for organizations that are unable to immediately upgrade their instances. The company advises IT admins to register a single tenant application in Azure Active Directory. It should help to block external users from making any login attempts.

Customers can also add an “allowed_groups” configuration to the Azure AD settings to restrict sign-in attempts to select users. This approach will let administrators block login attempts with an arbitrary email.