Today we are releasing Grafana 10.0.1, 9.5.5, 9.4.13, 9.3.16, 9.2.20, and 8.5.27. Alongside other bug fixes, these patch releases include critical severity security fix for CVE-2023-3128.
Release 10.0.1, latest patch, also containing security fix:
Release 9.5.5, also containing security fix:
Release 9.4.13, also containing security fix:
Release 9.3.16, also containing security fix:
Release 9.2.20, also containing security fix:
Release 8.5.27, also containing security fix:
Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.
Account takeover / authentication bypass (CVE-2023-3128)
Grafana validates Azure Active Directory accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants. This can enable a Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application.
The CVSS score for this vulnerability is 9.4 Critical.
If exploited, the attacker can gain complete control of a user’s account, including access to private customer data and sensitive information. All users in Grafana deployments with Azure AD OAuth configured with a multi-tenant Azure app and that do not have allowed_groups configured are affected and can be compromised.
All installations for Grafana versions >= 6.7.0.
Solutions and mitigations
To fully address CVE-2023-3128, please upgrade your Grafana instances. Appropriate patches have been applied to Grafana Cloud.
As an alternative mitigation solution, you can apply one of the following:
- Adding allowed_groups configuration to the Azure AD configuration would ensure that when a user is signing in, they are also a member of a group in Azure AD. This would ensure that an arbitrary email can’t be used by an attacker.
- Registering a single tenant application in Azure AD would prevent the attack vector.
Potentially breaking changes and resolution explanation
Our patch removes unsafe email lookups from every auth provider and relies solely on the user’s unique ID provided by the identity provider.
Looking up users by email can be safe for some identity providers (for example, when they are single tenants and unique non-editable, validated emails are provided), as well as in some infrastructures.
The resolution might potentially break your user authentication workflows in these scenarios:
- When Grafana is configured to use multiple identity providers (including a combination of standard Grafana login/password authentication with additional SSO), and you have users with the same email address in multiple identity providers.
- When Grafana is configured to use generic OAuth with an identity provider that does not support the unique ID field.
If your Grafana instance was relying on this functionality, you might see one of the following messages when signing in:
Login Failed - User sync failed Login Failed - User already exists
In order to work around the errors, we have left an escape hatch that you can use to enable email lookup. You can use the following configuration in your Grafana instance to bring the previous behavior back.
[auth] oauth_allow_insecure_email_lookup = true
*Note: We highly recommend against utilizing the above option and instead encourage ensuring user uniqueness across multiple identity providers, while also opting for an identity provider that supports a unique ID field.
Reporting security issues
If you think you have found a vulnerability, please go to our security issue page to learn how to send in a report. You can also read our recent blog post on the Bug Bounty Program to find out more details.
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply, the security team will keep you informed of the progress towards a fix and full announcement, and we may ask for additional information or guidance.
Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.