Bug 1212641 (CVE-2023-3128)

Summary: VUL-0: CVE-2023-3128: grafana: account takeover possible when using Azure AD OAuth
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: cloud-bugs, jmoffitt, jzerebecki, marina.latini, monitoring-devel, thomas.leroy, witold.bedyk
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/370242/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-3128:9.4:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2023-06-23 07:19:14 UTC 
CVE-2023-3128

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants. This enables Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant AzureAD OAuth application. If exploited, the attacker can gain complete control of the user's account, including access to private customer data and sensitive information. All users in Grafana deployments with Azure AD OAuth configured with a multi-tenant Azure app and which do not have allowed_groups configured are affected and can be compromised.

Upstream fix for 8.5.x:
https://github.com/grafana/grafana/commit/2b60228f42f45fddc0821a78bf2568598a1a40c8#diff-dc899ea32f268c53e94f76ae5ff45a239dde212d815e715fc3804ea4dfe87a75L1261

Upstream fix for 9.4.x:
https://github.com/grafana/grafana/commit/26f009141c5583aa44b2db0d444874bdbccb7dce 

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3128
https://bugzilla.redhat.com/show_bug.cgi?id=2213626
https://www.cve.org/CVERecord?id=CVE-2023-3128
https://grafana.com/security/security-advisories/cve-2023-3128/
Comment 1 Thomas Leroy 2023-06-23 07:38:40 UTC 
Grafana advisory [0] states 6.7.0 as the first vulnerable version, so in theory all of our maintained codestreams are affected:

- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update
- SUSE:SLE-12:Update
- SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update
- SUSE:SLE-15-SP2:Update
- SUSE:SLE-15:Update
- SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update

But I don't know which one of them enable Azure Active Directory. Maintainers, could you please clarify this?

[0] https://grafana.com/blog/2023/06/22/grafana-security-release-for-cve-2023-3128/
Comment 2 Witek Bedyk 2023-06-23 08:08:01 UTC 
Azure AD OAuth authentication can be enabled in Grafana configuration. Supported since Grafana 6.7.0.
Comment 3 Thomas Leroy 2023-06-23 10:14:19 UTC 
(In reply to Witek Bedyk from comment #2)
> Azure AD OAuth authentication can be enabled in Grafana configuration.
> Supported since Grafana 6.7.0.

Thanks Witek. Considering the following affected then:

- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update
- SUSE:SLE-12:Update
- SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update
- SUSE:SLE-15-SP2:Update
- SUSE:SLE-15:Update
- SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update
Comment 4 Witek Bedyk 2023-06-23 12:15:15 UTC 
Prepared SR in SLE development project with upgrade to version 9.5.5:

https://build.opensuse.org/request/show/1094876
Comment 5 Jan Zerebecki 2023-06-23 13:32:20 UTC 
For the Cloud versions the configuration control does not support enabling Oauth, so we consider this CVE not applicable.

What the config would need to look like is documented at https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana .
In Crowbar that configuration setting is not a variable, so is not user configurable: https://github.com/crowbar/crowbar-openstack/blob/26948f746e32eb7ea83f8d2c8d99b68e403cc5fa/chef/cookbooks/horizon/templates/default/grafana.ini.erb#L242
For Ardana I only found references in devstack that also doesn't allow enabling it. But Jeremey will add another comment to confirm.
Comment 6 Jeremy Moffitt 2023-06-23 14:40:52 UTC 
For SOC CLM, Grafana is not deployed or documented in any way. The graphing solution for Ardana/CLM is/was the OpsConsole. 

SOC9 CLM does include the grafana packages in the project, but they are not installed or deployed as part of the product. I believe this was done to make the sources between Ardana and Crowbar as uniform as possible. The result is that the packages are "on the ISO" as it were, but the user would have to go out of their way to manually install and configure them to use them.
Comment 7 Witek Bedyk 2023-06-26 09:58:59 UTC 
Grafana 9.5.5 submitted into SUMA projects.
Comment 8 Thomas Leroy 2023-06-28 13:18:14 UTC 
Thanks everyone for the update. Does anyone know who maintains the SLE codestreams (that are affected as well):
SUSE:SLE-12:Update
9.5.1-1.48.1

Affected
- SUSE:SLE-12:Update
- SUSE:SLE-15-SP2:Update
- SUSE:SLE-15:Update
Comment 9 Marina Latini 2023-06-28 14:07:03 UTC 
(In reply to Thomas Leroy from comment #8)
> Thanks everyone for the update. Does anyone know who maintains the SLE
> codestreams (that are affected as well):
> SUSE:SLE-12:Update
> 9.5.1-1.48.1
> 
> Affected
> - SUSE:SLE-12:Update
> - SUSE:SLE-15-SP2:Update
> - SUSE:SLE-15:Update

Hello Thomas,
the other affected codestreams are also maintained by SUMA.
https://smelt.suse.de/maintained/?q=grafana&with_debug=1

Let me give you more details:
- SUSE:SLE-12:Update is used for the SLE12 client tools (channel SLE-Manager-Tools_12)
- SUSE:SLE-15:Update is  used for the SLE15 client tools (channel SLE-Manager-Tools_15)
- SUSE:SLE-15-SP2:Update is also covered by us because we are delivering from there to openSUSE-SLE_15.4/openSUSE-SLE_15.5 that for us is relevant for Uyuni (our upstream).

The fix delivered by Witek and listed on comment 4 will be part of SUSE Manager  4.3.7 and from there we will deliver the updates to the mentioned codestreams.

@Thomas: our release date is August 1st, is this acceptable for this CVE?
Comment 10 Thomas Leroy 2023-06-28 14:12:41 UTC 
(In reply to Marina Latini from comment #9)
> (In reply to Thomas Leroy from comment #8)
> > Thanks everyone for the update. Does anyone know who maintains the SLE
> > codestreams (that are affected as well):
> > SUSE:SLE-12:Update
> > 9.5.1-1.48.1
> > 
> > Affected
> > - SUSE:SLE-12:Update
> > - SUSE:SLE-15-SP2:Update
> > - SUSE:SLE-15:Update
> 
> Hello Thomas,
> the other affected codestreams are also maintained by SUMA.
> https://smelt.suse.de/maintained/?q=grafana&with_debug=1
> 
> Let me give you more details:
> - SUSE:SLE-12:Update is used for the SLE12 client tools (channel
> SLE-Manager-Tools_12)
> - SUSE:SLE-15:Update is  used for the SLE15 client tools (channel
> SLE-Manager-Tools_15)
> - SUSE:SLE-15-SP2:Update is also covered by us because we are delivering
> from there to openSUSE-SLE_15.4/openSUSE-SLE_15.5 that for us is relevant
> for Uyuni (our upstream).
> 
> The fix delivered by Witek and listed on comment 4 will be part of SUSE
> Manager  4.3.7 and from there we will deliver the updates to the mentioned
> codestreams.
> 
> @Thomas: our release date is August 1st, is this acceptable for this CVE?

Thanks for the clarification Marina. Since this is a critical CVE, August 1st is very late... I would need to discuss this with the team. If Azure AD oauth is not common, we could wait, but otherwise that seems difficult...
Comment 11 Marina Latini 2023-06-28 15:11:12 UTC 
(In reply to Thomas Leroy from comment #10)
> 
> Thanks for the clarification Marina. Since this is a critical CVE, August
> 1st is very late... I would need to discuss this with the team. If Azure AD
> oauth is not common, we could wait, but otherwise that seems difficult...

Which should be the delivery time? 30 days?
Comment 12 Marina Latini 2023-06-28 16:00:18 UTC 
(In reply to Marina Latini from comment #11)
> (In reply to Thomas Leroy from comment #10)
> > 
> > Thanks for the clarification Marina. Since this is a critical CVE, August
> > 1st is very late... I would need to discuss this with the team. If Azure AD
> > oauth is not common, we could wait, but otherwise that seems difficult...
> 
> Which should be the delivery time? 30 days?

just for the records... checked with Stoyan and we agreed to deliver this fix independently from SUMA 4.3.7. and with a scheduled release day set on Friday, July 21st
Comment 15 Thomas Leroy 2023-06-29 06:27:15 UTC 
(In reply to Marina Latini from comment #12)
> (In reply to Marina Latini from comment #11)
> > (In reply to Thomas Leroy from comment #10)
> > > 
> > > Thanks for the clarification Marina. Since this is a critical CVE, August
> > > 1st is very late... I would need to discuss this with the team. If Azure AD
> > > oauth is not common, we could wait, but otherwise that seems difficult...
> > 
> > Which should be the delivery time? 30 days?
> 
> just for the records... checked with Stoyan and we agreed to deliver this
> fix independently from SUMA 4.3.7. and with a scheduled release day set on
> Friday, July 21st

Many thanks for you cooperation Marina!
Comment 16 Maintenance Automation 2023-07-20 12:30:18 UTC 
SUSE-SU-2023:2917-1: An update that solves three vulnerabilities and contains two features can now be installed.

Category: security (critical)
Bug References: 1212099, 1212100, 1212641
CVE References: CVE-2023-2183, CVE-2023-2801, CVE-2023-3128
Jira References: MSQA-687, PED-3694
Sources used:
openSUSE Leap 15.4 (src): grafana-9.5.5-150200.3.44.1
openSUSE Leap 15.5 (src): grafana-9.5.5-150200.3.44.1
SUSE Package Hub 15 15-SP4 (src): grafana-9.5.5-150200.3.44.1
SUSE Package Hub 15 15-SP5 (src): grafana-9.5.5-150200.3.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Maintenance Automation 2023-07-20 12:30:21 UTC 
SUSE-SU-2023:2916-1: An update that solves three vulnerabilities and contains two features can now be installed.

Category: security (critical)
Bug References: 1212099, 1212100, 1212641
CVE References: CVE-2023-2183, CVE-2023-2801, CVE-2023-3128
Jira References: MSQA-687, PED-3694
Sources used:
SUSE Manager Client Tools for SLE 12 (src): grafana-9.5.5-1.51.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Maintenance Automation 2023-07-20 12:30:24 UTC 
SUSE-SU-2023:2915-1: An update that solves three vulnerabilities and contains two features can now be installed.

Category: security (critical)
Bug References: 1212099, 1212100, 1212641
CVE References: CVE-2023-2183, CVE-2023-2801, CVE-2023-3128
Jira References: MSQA-687, PED-3694
Sources used:
SUSE Manager Client Tools for SLE 15 (src): grafana-9.5.5-150000.1.51.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Witek Bedyk 2023-08-17 14:40:09 UTC 
All done on our side. Current version used:

* SLE 15: 9.5.5
* SLE 12: 9.5.5
Comment 21 Maintenance Automation 2024-01-23 20:30:20 UTC 
SUSE-SU-2024:0196-1: An update that solves 44 vulnerabilities, contains 14 features and has 35 security fixes can now be installed.

Category: security (moderate)
Bug References: 1172110, 1176460, 1180816, 1180942, 1181119, 1181935, 1183684, 1187725, 1188061, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1197507, 1198903, 1199810, 1200142, 1200480, 1200591, 1200968, 1200970, 1201003, 1201059, 1201535, 1201539, 1202614, 1202945, 1203283, 1203596, 1203597, 1203599, 1204032, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205599, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208060, 1208062, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210640, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-20178, CVE-2021-20180, CVE-2021-20191, CVE-2021-20228, CVE-2021-3447, CVE-2021-3583, CVE-2021-3620, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-23552, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128
Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3694, PED-4556, PED-5405, PED-5406, SLE-23422, SLE-23439, SLE-23631, SLE-24133, SLE-24565, SLE-24791
Sources used:
SUSE Manager Client Tools Beta for SLE Micro 5 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1
SUSE Manager Client Tools Beta for SLE 15 (src): python-pyvmomi-6.7.3-159000.3.6.1, golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, supportutils-plugin-salt-1.2.2-159000.5.9.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, mgr-push-5.0.1-159000.4.21.1, golang-github-lusitaniae-apache_exporter-1.0.0-159000.4.12.1, rhnlib-5.0.1-159000.6.30.1, golang-github-prometheus-prometheus-2.45.0-159000.6.33.1, spacewalk-client-tools-5.0.1-159000.6.48.1, uyuni-common-libs-5.0.1-159000.3.33.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1, golang-github-boynux-squid_exporter-1.6-159000.4.9.1, ansible-2.9.27-159000.3.9.1, prometheus-postgres_exporter-0.10.1-159000.3.6.1, grafana-9.5.8-159000.4.24.1, spacecmd-5.0.1-159000.6.42.1, python-hwdata-2.3.5-159000.5.13.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, supportutils-plugin-susemanager-client-5.0.1-159000.6.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Maintenance Automation 2024-01-23 20:30:50 UTC 
SUSE-SU-2024:0191-1: An update that solves 45 vulnerabilities, contains 17 features and has 30 security fixes can now be installed.

Category: security (moderate)
Bug References: 1047218, 1172110, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1194873, 1195726, 1195727, 1195728, 1196338, 1196652, 1197507, 1198903, 1199810, 1200480, 1200591, 1200725, 1201003, 1201059, 1201535, 1201539, 1203283, 1203596, 1203597, 1203599, 1204032, 1204089, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208051, 1208060, 1208062, 1208064, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-39226, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-21673, CVE-2022-21698, CVE-2022-21702, CVE-2022-21703, CVE-2022-21713, CVE-2022-23552, CVE-2022-27191, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128, CVE-2023-40577
Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3578, PED-3694, PED-4556, PED-5405, PED-5406, PED-7353, SLE-23422, SLE-23439, SLE-24238, SLE-24239, SLE-24565, SLE-24791, SUMA-114
Sources used:
SUSE Manager Client Tools Beta for SLE 12 (src): rhnlib-5.0.1-24.30.3, spacecmd-5.0.1-41.42.3, grafana-9.5.8-4.21.2, prometheus-postgres_exporter-0.10.1-3.6.4, golang-github-prometheus-node_exporter-1.5.0-4.15.4, golang-github-QubitProducts-exporter_exporter-0.4.0-4.6.2, system-user-grafana-1.0.0-3.7.2, kiwi-desc-saltboot-0.1.1687520761.cefb248-4.15.2, golang-github-prometheus-prometheus-2.45.0-4.33.3, supportutils-plugin-susemanager-client-5.0.1-9.15.2, uyuni-common-libs-5.0.1-3.33.3, prometheus-blackbox_exporter-0.24.0-3.6.3, golang-github-lusitaniae-apache_exporter-1.0.0-4.12.4, golang-github-prometheus-alertmanager-0.26.0-4.12.4, system-user-prometheus-1.0.0-3.7.2, python-hwdata-2.3.5-15.12.2, golang-github-boynux-squid_exporter-1.6-4.9.2, supportutils-plugin-salt-1.2.2-9.9.2, golang-github-prometheus-promu-0.14.0-4.12.2, mgr-push-5.0.1-4.21.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Andrea Mattiazzo 2024-06-07 12:13:01 UTC 
All done, closing.