Summary
I’ve found that authentication with Azure AD to Grafana can be used to take over any account due to bad Azure OAuth implementation. The vulnerability exists in your Azure AD account user validation and identification process. This vulnerability affects all Grafana users in a tenant with Azure AD OAuth configured.
Details
I found that Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the email claim is not unique and can be easily modified. Microsoft explicitly recommends against using it for user identification and validation purposes. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. It also bypasses the “allowed_domains” configuration which should limit access to users who belong to specific domains.
PoC
Steps to Reproduce:
Victim:
- Set up a Grafana env and follow Grafana’s doc to configure Azure AD OAuth https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/azuread/
- When configuring your app on Azure make sure you create a multi-tenant app.
- Add your domain to the allowed_domains configuration in the grafana.ini under the [auth.azuread] section
- Sign in with the victim’s Azure AD account to Grafana using the “Sign in with Azure AD”
Attacker:
- Set up a free Azure AD tenant to create the malicious user
- In the Azure AD, create a user for the attack purpose
- Once you’ve created the user, on Azure AD, edit the Email property to the email address of the victim account
- Sign in to Grafana with the “Sign in with Azure AD” using the attacker’s credentials
- Done! you got full access to the target account
PoC:
[Video REDACTED]
Victim user: user@REDACTED.onmicrosoft.com
Attacker user: attacker@REDACTED.onmicrosoft.com
On the left, it’s the victim browser. The victim is a legit Grafana user, signed up using his microsoft account. On the right, the attacker user.
Attacker user configuration on Azure. See the “Email” property:
[Screen Shot REDACTED]
grafana.ini config in PoC environment:
[auth.azuread]
name = Azure AD
enabled = true
allow_sign_up = true
auto_login = false
client_id = REDACTED
client_secret = REDACTED
scopes = openid email profile
auth_url = https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/organizations/oauth2/v2.0/token
allowed_domains = REDACTED.onmicrosoft.com
allowed_groups =
role_attribute_strict = false
allow_assign_grafana_admin = false
skip_org_role_sync = false
use_pkce = true
Impact
This vulnerability can have drastic consequences for the users. If exploited, the attacker can gain complete control of the user's account, including access to private customer data and sensitive information. This could result in financial loss, reputational damage, and other serious consequences. All users in Grafana deployments with Azure AD OAuth configured with a multi-tenant Azure app are affected and can be easily compromised.
Summary
I’ve found that authentication with Azure AD to Grafana can be used to take over any account due to bad Azure OAuth implementation. The vulnerability exists in your Azure AD account user validation and identification process. This vulnerability affects all Grafana users in a tenant with Azure AD OAuth configured.
Details
I found that Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the email claim is not unique and can be easily modified. Microsoft explicitly recommends against using it for user identification and validation purposes. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. It also bypasses the “allowed_domains” configuration which should limit access to users who belong to specific domains.
PoC
Steps to Reproduce:
Victim:
Attacker:
PoC:
[Video REDACTED]
Victim user: user@REDACTED.onmicrosoft.com
Attacker user: attacker@REDACTED.onmicrosoft.com
On the left, it’s the victim browser. The victim is a legit Grafana user, signed up using his microsoft account. On the right, the attacker user.
Attacker user configuration on Azure. See the “Email” property:
[Screen Shot REDACTED]
grafana.ini config in PoC environment:
[auth.azuread]
name = Azure AD
enabled = true
allow_sign_up = true
auto_login = false
client_id = REDACTED
client_secret = REDACTED
scopes = openid email profile
auth_url = https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/organizations/oauth2/v2.0/token
allowed_domains = REDACTED.onmicrosoft.com
allowed_groups =
role_attribute_strict = false
allow_assign_grafana_admin = false
skip_org_role_sync = false
use_pkce = true
Impact
This vulnerability can have drastic consequences for the users. If exploited, the attacker can gain complete control of the user's account, including access to private customer data and sensitive information. This could result in financial loss, reputational damage, and other serious consequences. All users in Grafana deployments with Azure AD OAuth configured with a multi-tenant Azure app are affected and can be easily compromised.