CVE-2023-3128
📋 TL;DR
This vulnerability allows attackers to bypass authentication and take over Grafana accounts when Azure AD OAuth is configured with multi-tenant applications. Attackers can modify email claims in Azure AD profiles to impersonate legitimate users. Organizations using Grafana with Azure AD OAuth multi-tenant configurations are affected.
💻 Affected Systems
- Grafana
📦 What is this software?
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
⚠️ Risk & Real-World Impact
Worst Case
Complete Grafana account takeover leading to unauthorized access to all dashboards, data sources, and administrative functions, potentially enabling data exfiltration or system compromise.
Likely Case
Unauthorized access to Grafana dashboards and data sources, potentially exposing sensitive monitoring data and metrics.
If Mitigated
Limited impact with proper authentication controls, monitoring, and network segmentation in place.
🎯 Exploit Status
Exploitation requires Azure AD account access to modify email claims, but the attack chain is straightforward once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.4.13, 9.5.4, 10.0.0
Vendor Advisory: https://grafana.com/security/security-advisories/cve-2023-3128/
Restart Required: Yes
Instructions:
1. Upgrade Grafana to version 9.4.13, 9.5.4, or 10.0.0. 2. Restart Grafana service. 3. Verify the fix by checking the version and testing authentication.
🔧 Temporary Workarounds
Switch to Single-Tenant Azure AD App
allConfigure Azure AD OAuth to use single-tenant applications instead of multi-tenant applications.
Disable Azure AD OAuth
allTemporarily disable Azure AD OAuth authentication until patching can be completed.
🧯 If You Can't Patch
- Implement network segmentation to isolate Grafana instances from untrusted networks
- Enable enhanced logging and monitoring for authentication events and account changes
🔍 How to Verify
Check if Vulnerable:
Check Grafana version and verify Azure AD OAuth configuration uses multi-tenant applications.Check Version:
grafana-server -vVerify Fix Applied:
Verify Grafana version is 9.4.13, 9.5.4, or 10.0.0 or later, and test authentication with modified email claims.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns
- Multiple failed login attempts followed by successful login from different email domains
- Account creation/modification events from unexpected sources
Network Indicators:
- Authentication requests from unexpected IP ranges
- Unusual OAuth token exchange patterns
SIEM Query:
source="grafana" AND (event="login" OR event="auth") AND email CONTAINS "@" AND email NOT IN allowed_domains🔗 References
- https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp
- https://grafana.com/security/security-advisories/cve-2023-3128/
- https://security.netapp.com/advisory/ntap-20230714-0004/
- https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp
- https://grafana.com/security/security-advisories/cve-2023-3128/
- https://security.netapp.com/advisory/ntap-20230714-0004/
