Skip to content
This repository has been archived by the owner on Dec 17, 2024. It is now read-only.
/ bugbounty Public archive

Authentication bypass / account takeover due to bad implementation of Azure AD OAuth

Critical
chagrafana published GHSA-gxh2-6vvc-rrgp Jul 6, 2023

Package

gomod Grafana (Go)

Affected versions

<=9.5.3, <=9.4.12, <=9.3.15, <=9.2.19, <=8.5.26

Patched versions

9.5.4, 9.4.13, 9.3.16, 8.5.27

Description

Summary

I’ve found that authentication with Azure AD to Grafana can be used to take over any account due to bad Azure OAuth implementation. The vulnerability exists in your Azure AD account user validation and identification process. This vulnerability affects all Grafana users in a tenant with Azure AD OAuth configured.

Details

I found that Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the email claim is not unique and can be easily modified. Microsoft explicitly recommends against using it for user identification and validation purposes. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. It also bypasses the “allowed_domains” configuration which should limit access to users who belong to specific domains.

PoC

Steps to Reproduce:

Victim:

  1. Set up a Grafana env and follow Grafana’s doc to configure Azure AD OAuth https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/azuread/
  2. When configuring your app on Azure make sure you create a multi-tenant app.
  3. Add your domain to the allowed_domains configuration in the grafana.ini under the [auth.azuread] section
  4. # with the victim’s Azure AD account to Grafana using the “# with Azure AD”

Attacker:

  1. Set up a free Azure AD tenant to create the malicious user
  2. In the Azure AD, create a user for the attack purpose
  3. Once you’ve created the user, on Azure AD, edit the Email property to the email address of the victim account
  4. # to Grafana with the “# with Azure AD” using the attacker’s credentials
  5. Done! you got full access to the target account

PoC:

[Video REDACTED]
Victim user: user@REDACTED.onmicrosoft.com
Attacker user: attacker@REDACTED.onmicrosoft.com
On the left, it’s the victim browser. The victim is a legit Grafana user, signed up using his microsoft account. On the right, the attacker user.

Attacker user configuration on Azure. See the “Email” property:
[Screen Shot REDACTED]

grafana.ini config in PoC environment:
[auth.azuread]
name = Azure AD
enabled = true
allow_sign_up = true
auto_login = false
client_id = REDACTED
client_secret = REDACTED
scopes = openid email profile
auth_url = https://#.microsoftonline.com/organizations/oauth2/v2.0/authorize
token_url = https://#.microsoftonline.com/organizations/oauth2/v2.0/token
allowed_domains = REDACTED.onmicrosoft.com
allowed_groups =
role_attribute_strict = false
allow_assign_grafana_admin = false
skip_org_role_sync = false
use_pkce = true

Impact

This vulnerability can have drastic consequences for the users. If exploited, the attacker can gain complete control of the user's account, including access to private customer data and sensitive information. This could result in financial loss, reputational damage, and other serious consequences. All users in Grafana deployments with Azure AD OAuth configured with a multi-tenant Azure app are affected and can be easily compromised.

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVE ID

CVE-2023-3128

Weaknesses

Credits