A severe security bug affected the Grafana open-source web application. Exploiting the vulnerability could allow an attacker to take over the target Grafana account due to poor authentication. Grafana fixed the vulnerability in time to avoid wide exploitation.
Grafana OAuth vulnerability
Security researchers from HTTPVoid discovered a high-severity vulnerability in the open source platform Grafana. It’s an analytics and interactive visualization web visualization platform for visualizing metrics, logs, databases etc., from multiple sources.
Specifically, the bug affected the platform’s login function, allowing authenticated attackers to gain elevated privileges. An adversary could conduct a cross-origin attack against admin accounts in the same instance to take over them. According to Grafana’s advisory,
It is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP to take over an existing Grafana account under some conditions.
The bug has received the identification CVE-2022-31107 and a high-severity rating with CVSS 7.1.
Exploiting the bug required the adversary to sign in to Grafana via OAuth while having an email address and user ID unaffiliated with Grafana. Then, the attacker could target a respective admin account if the account’s user ID is known. The adversary could also set its own OAuth username in place of the victim account ID and login into Grafana via the OAuth flow. As stated in the vulnerability description,
Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met, then the malicious user will be able to log in to the target user’s Grafana account.
Patches Released With Respective Grafana Versions
The vulnerability typically affected all Grafana versions, including and above 5.3. Since these were the latest versions before the existing patched releases, Grafana recommended all users running the app version 5.3 or above upgrade immediately.
The vendors have released the patch with Grafana versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10. While it’s ideal for the users to update their systems with the latest app versions, in cases where updates are not possible, the vendors suggest disabling OAuth logins to prevent malicious attempts. Alternatively, users can ensure that the OAuth logins have a valid email address associated with Grafana accounts.
Let us know your thoughts in the comments.