=====================================================================

                               CERT-Renater

                     Note d'Information No. 2023/VULN404

_____________________________________________________________________

DATE                : 16/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):Systems running Grafana versions prior to 10.1.5,
                                  10.0.9, 9.5.13, 9.4.17.

=====================================================================
https://grafana.com/blog/2023/10/13/grafana-security-release-new-versions-of-grafana-with-a-medium-severity-security-fix-for-cve-2023-4822/
_____________________________________________________________________

Grafana security release: New versions of Grafana with a medium
severity security fix for CVE-2023-4822


Ieva Vasiļjeva
• October 13, 2023

We are releasing Grafana 10.1.5, 10.0.9, 9.5.13, and 9.4.17. These
patch releases contain a fix for CVE-2023-4822, a medium severity
security vulnerability in the role-based access control (RBAC)
system in Grafana Enterprise.

Release 10.1.5, latest release with security patch:

     Download Grafana 10.1.5

Release 10.0.9 with the security patch:

     Download Grafana 10.0.9

Release 9.5.13 with the security patch:

     Download Grafana 9.5.13

Release 9.4.17 with the security patch:

     Download Grafana 9.4.17

H2: Cross-organization permission escalation by an organization
administrator (CVE-2023-4822)


Summary

Vulnerable versions of Grafana are incorrectly assessing permissions
to update cross-organization roles and role assignments. Therefore
users with administrator permissions in one organization can change
cross-organization role permissions and cross-organization role
assignments.

This vulnerability impacts instances with more than one organization
running Grafana Enterprise versions.

No Grafana Cloud instances are impacted because the platform is limited
to a single organization.

The CVSS score for this vulnerability is 6.7 Medium.


Impact

If exploited, an attacker who has the Organization Admin role in any
organization can elevate their permissions across all organizations,
elevate other users’ permissions in all organizations, or limit other
users’ permissions in all organizations.

The vulnerability, however, does not allow the attacker to become a
member of an organization that they are not already a member of, nor
can they add any other user to an organization that the attacker is
not a member of already.


Impacted versions

The vulnerability impacts instances with more than one organization
running Grafana Enterprise versions:

     8.0.0 to 10.0.0 with RBAC enabled
     10.0.0 to 10.1.2
     10.1.4

You can check if role-based access control (RBAC) is enabled by
calling GET /api/access-control/status. If the endpoint is found and
returns "enabled": true, role-based access control is enabled on your
instance.


Solutions and mitigations

If your instance is vulnerable, we strongly recommend upgrading to
one of the patched versions as soon as possible.

If you cannot upgrade now, you should limit the Organization
Administrator privileges only to trusted users who will not abuse
this vulnerability.


Timeline and post-incident review

Here is a detailed timeline starting from when we originally
introduced the issue. All times in UTC.

     2021-01-06 08:45 UTC - The faulty permission evaluation logic
is introduced in Grafana.
     2023-08-18 10:42 UTC - A bug that prevents editing basic role
assignments is introduced.
     2023-09-06 17:53 UTC - It is brought to our attention that
users are not able to edit the basic roles.
     2023-09-07 10:15 UTC - We investigate the issue with updating
basic roles and discover the security vulnerability in the related
code.
     2023-09-07 10:33 UTC - An incident is opened and announced.
     2023-09-07 15:53 UTC - CVE is requested / GitHub advisory is
created.
     2023-09-08 11:47 UTC - We explore the attack surface and make
sure there are no related exploitable vulnerabilities.
     2023-09-12 14:45 UTC - Fix for the vulnerability is merged.
     2023-09-13 06:52 UTC - Backports for the supported versions
are created and merged.
     2023-09-19 20:22 UTC - Private release.
     2023-10-12 11:27 UTC - Public release.
     2023-10-13 14:00 UTC - Blog published.


Reporting security issues

If you think you have found a security vulnerability, please go
to our Report a security issue page to learn how to send a
security report.

Grafana Labs will send you a response indicating the next steps in
handling your report. After the initial reply to your report, the
security team will keep you informed of the progress towards a fix
and full announcement, and may ask for additional information or
guidance.

Important: We ask you to not disclose the vulnerability before it
has been fixed and announced, unless you received a response from
the Grafana Labs security team that you can do so.
Security announcements

We maintain a security category on our blog, where we will always
post a summary, remediation, and mitigation details for any patch
containing security fixes. You can also subscribe to our RSS feed.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================