Researchers have warned that malicious actors could seize control of Grafana’s administrator account due to a vulnerability in the OAuth login function.
This security flaw (codename CVE-2022-3107) could allow an attacker access to another user’s account via the open-source analytics platform.
A team of researchers discovered the bug in the platform’s login function. This bug allows attackers to raise their privileges via cross-origin attacks on administrators of systems that are vulnerable to the open source platform.
An attacker could thus potentially gain access to the admin account.
OAuth login allows a user to authorize an application interacting with another without having to give away their password. For example, a user can log in to another app using their Facebook account.
There are some prerequisites to the attack. For example, the attacker must have authorization to log in to Grafana via a configured OAuth IdP. This provides a login name that allows them to take control of the account of another Grafana user.
It can happen when:
- Grafana is allowed to be logged in by the malicious user via OAuth
- Grafana does not have an account associated with the external user ID of the malicious user.
- Grafana has not yet associated the malicious user’s email address with an account.
- The malicious user also knows the Grafana username for the target user
Get the most recent news on web security vulnerabilities
“If these conditions are met the malicious user may set their username in OAuth provider to the target user and then proceed through the OAuth flow in Grafana to log in to Grafana.” A vulnerability report is.
“Due the way that the external and internal user account are linked during login, the malicious user can log in to the target user’s Grafana account if all the above conditions are met.”
Read more about when is pen testing most effective?
Harsh Jaiswal, one of the members of the research team, stated that he found this while auditing Grafana’s source code. Although the finding was easy, reaching the code flow took some time.
“Exploitation depends on configuration. It is moderately difficult, I would say.
Jaiswal stated that disclosure was positive and that Grafana was quick in triaging the matter. The overall process was also smooth.
The researcher stated that depending on the configuration, the vulnerability could lead to an authentication bypass or privilege escalation.
Grafana has patched the vulnerability in versions 5.3 to 9.0.3, 8.4.10 and 8.3.10.
The vulnerability report states that users may disable OAuth logins to Grafana instances or make sure all OAuth users have an OAuth-linked Grafana account.