====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN171
_____________________________________________________________________

DATE                : 23/03/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Grafana versions prior to 6.7.6,
                                     7.3.10, 7.4.5.                 .

=====================================================================
https://grafana.com/blog/2021/03/18/grafana-6.7.6-7.3.10-and-7.4.5-released-with-important-security-fixes-for-grafana-enterprise/
_____________________________________________________________________

Grafana 6.7.6, 7.3.10, and 7.4.5 released with important security fixes
for Grafana Enterprise

Published: 18 Mar 2021


We released Grafana 6.7.6, 7.3.10, and 7.4.5 today. These patch releases
include important security fixes for all Grafana Enterprise versions
from 6.1.0-beta1 through 7.4.4. Grafana OSS is not affected, as it does
not use the features affected by the vulnerabilities. These are
janitorial releases to keep version information in sync.


Release 7.4.5, only containing a security fix:

    Download Grafana Enterprise 7.4.5
    Release notes


Release 7.3.10, only containing a security fix:

    Download Grafana Enterprise 7.3.10
    Release notes


Release 6.7.6, only containing a security fix:

    Download Grafana Enterprise 6.7.6
    Release notes


Remote escalation of privileges vulnerability (CVE-2021-27962)

On February 26, during an internal security audit, we discovered that
Grafana Enterprise 7.2.0 introduced a mechanism that allows users with
the Editor role to bypass data source permissions on an organization’s
default data source, if configured.

This security issue allows any users with the Editor organizational role
in Grafana with no access to the default data source to manipulate a
dashboard with alerts and expose data from that restricted data source
to any notification channel. Note that in order to exploit this, you
would need to have alerting enabled and assign the Editor organizational
role to users.


Affected versions with high severity

Grafana Enterprise 7.2.0 to 7.4.3


Solutions and mitigations

All installations between 7.2.0 and 7.4.3 should be upgraded as soon as
possible. There is no good way to mitigate the vulnerability. If you can
not upgrade, you should make sure that the default data source in each
organization is safe for any member of the organization to query.


Remote access control bypass vulnerabilities (CVE-2021-28146,
CVE-2021-28147)

On March 10, during an internal security audit, we discovered that on
Grafana Enterprise instances using an external authentication service,
Grafana Enterprise 7.4.0 introduced a mechanism that allows any
authenticated user to use an HTTP API to add external groups to any
existing team. Once a user from this external group logs in, the user is
granted all permissions that the team has on dashboards and data
sources. This vulnerability also allows any unauthenticated user/client
that knows a team ID to list existing external groups related to that
team. We have reserved CVE-2021-28146 for this issue.

As we continued an internal audit, on March 11, we discovered that
Grafana Enterprise 6.1.0 introduced the same vulnerability as above, but
only for Grafana instances that have the editorsCanAdmin feature
enabled. We have reserved CVE-2021-28147 for this issue.

The vulnerabilities allow a user to grant themselves, or others, team
permissions that they are not authorized to have.

Note that these vulnerabilities can only be triggered if you have
defined at least one team with special permissions in Grafana, even if
that team is unused.


Affected versions with high severity

Grafana Enterprise 7.4.0-beta1 to 7.4.4 are affected by the
CVE-2021-28146 vulnerability.

Grafana Enterprise 6.1.0-beta1 to 7.4.4 are affected by the
CVE-2021-28147 vulnerability.


Solutions and mitigations

All installations between 6.1.0-beta1 and 7.4.4 should be upgraded as
soon as possible. There is no good way to mitigate the vulnerability. If
you cannot upgrade and are on a version before 7.4.0, you should
consider disabling the editorsCanAdmin feature; if you are on 7.4.x, you
should consider temporarily not using teams in Grafana.


Remote unauthenticated denial of service vulnerability (CVE-2021-28148)

On March 11, during an internal security audit, we discovered that
Grafana Enterprise 6.6.0 introduced a new HTTP API endpoint for usage
insights, which lets any unauthenticated user send an unlimited number
of requests to the endpoint. This allows for denial of service (DoS)
attacks against Grafana Enterprise instances.


Affected versions with high severity

Grafana Enterprise 6.6.0-beta1 to 7.4.4


Solutions and mitigations

All installations between 6.6.0-beta1 and 7.4.4 should be upgraded as
soon as possible. There is no good way to mitigate the vulnerability.


Reporting security issues

If you think you have found a security vulnerability, please send a
report to security@grafana.com. This address can be used for all of
Grafana Labs' open source and commercial products (including but not
limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com).
We can accept only vulnerability reports at this address. We would
prefer that you encrypt your message to us, so please use our PGP key.
The key fingerprint is:

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.


Security announcements

We maintain a category on the community site called Security
Announcements, where we will post a summary, remediation, and mitigation
details for any patch containing security fixes.

You can also subscribe to email updates to this category if you have a
grafana.com account and sign on to the community site or track updates
via an RSS feed.


Conclusion

If you run a Grafana Enterprise instance between version 6.1.0-beta1 and
7.4.4, please upgrade to Grafana 6.7.6, 7.3.10, or 7.4.5 as soon as
possible.


Affected Grafana Cloud instances have been already upgraded to the
versions with the fixes. Grafana Enterprise customers have been provided
with updated binaries ahead of this disclosure.



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================