Exposing a New BOLA Vulnerability in Grafana

Palo Alto Network’s Unit 42 researchers uncovered and disclosed a new Broken Object Level Authorization (BOLA) vulnerability that affects Grafana versions from 9.5.0 to 9.5.18, from 10.0.0 to 10.0.13, from 10.1.0 to 10.1.9, from 10.2.0 to 10.2.6, and from 10.3.0 to 10.3.5. Grafana is an established open-source data visualization and monitoring solution with almost 60,000 stars on GitHub that helps organizations drive business processes. The vulnerability discovered by Unit 42 has been labeled CVE-2024-1313 and carries a medium severity. It allows low-privileged Grafana users to delete dashboard snapshots belonging to other organizations using the snapshot's keys bypassing authorization and impacting the integrity of the system. Exploiting this vulnerability is relatively straightforward as it only requires knowledge of the snapshot's key, which is not considered a secret and is shown in several endpoints’ query parameters. Due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. While hunting for bugs, the researchers also found an endpoint that allows any Grafana user to create snapshot images which could be utilized by attackers to potentially launch denial-of-service attacks or brute-force weak secret keys.

BOLA occurs when an application’s server fails to properly validate that a user has the correct permissions to access, modify, or delete any data object in the system. By manipulating the object identifiers in the requests, attackers can potentially gain access to other users’ data leading to confidentiality and integrity issues. Grafana has four pre-designed roles that control user access to resources. This vulnerability allows users with the basic role and no permissions to delete any snapshots even in organizations the user is unaffiliated with.

Security Officer Comments:
The precondition to exploit this vulnerability requires the malicious actor to either obtain the secret keys through brute-force attacks or reconnaissance during presentations or demos when the key is plain text visible in the URL's path parameters. This exploit was disclosed to Grafana on January 22 and a new version release was published on March 26. BOLA vulnerabilities are usually straightforward and are often overlooked by software developers, despite having a potentially severe impact even on mature applications.

Suggested Corrections:
Grafana has released a fix to CVE-2024-1313 noted in their security advisory on the matter and suggested upgrading the version to 10.4.x, 10.3.5, 10.2.6, 10.1.9 or 9.5.18 to mitigate the BOLA risk. They also note that having automated testing tools is a primary deterrent against BOLA vulnerabilities.