Open source analytics platform fixes bug that could lead to authentication bypass, privilege escalation
Malicious actors could take over an administrator account in Grafana due to a vulnerability in its OAuth login function, researchers have warned.
The security flaw, tracked as CVE-2022-31107, could allow an attacker to access another user’s account on the open source analytics platform.
Discovered by a team of researchers from HTTPVoid, the bug, which resides in the platform’s login function, “opens the door for attackers to elevate their privileges through cross-origin attacks against administrators on systems running vulnerable versions of the open source platform”.
An attacker could therefore potentially gain access to an admin account.
OAuth login is an authentication protocol that allows a user to approve one application interacting with another on their behalf without giving away the password, for example using a user’s Facebook account to log in to another app.
The attack does require some prerequisites, for example the attacker would have to have authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance.
This can occur when:
- The malicious user is authorized to log in to Grafana via OAuth
- The malicious user’s external user ID is not already associated with an account in Grafana
- The malicious user’s email address is not already associated with an account in Grafana
- And the malicious user knows the Grafana username of the target user
“If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana,” a vulnerability report reads.
“Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user’s Grafana account.”
Speaking to The Daily Swig, Harsh Jaiswal, a member of the research team, said: “This was found while auditing source code of Grafana, the finding itself wasn’t hard but reaching to the code flow definitely took some time.
“Exploitation depends on configuration. I’d say it is moderately difficult.”
Jaiswal said that the disclosure process was positive, adding that the Grafana team was “quick in triage and the overall process was smooth”.
“Depending on the configuration, this vulnerability on exploitation could cause an authentication bypass or a privilege escalation,” the researcher warned.
The vulnerability, which is present in versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, has been patched by Grafana in versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10.
“As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address,” the vulnerability report adds.