www.belgium.be Logo of the federal government

WARNING: CRITICAL COMMAND INJECTION VULNERABILITY IN GRAFANA CAN BE EXPLOITED REMOTELY, PROOF OF CONCEPT AVAILABLE. PATCH IMMEDIATELY!

Reference: 
Advisory #2024-247
Version: 
1.0
Affected software: 
Grafana v11.x.y (Enterprise & OSS (Open-Source Software))
Type: 
CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVE/CVSS: 

CVE-2024-9264: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Sources

Official manufacturer: https://grafana.com/security/security-advisories/cve-2024-9264/

NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9264

Risks

A proof of concept has been observed for CVE-2024-9264, a critical command injection vulnerability in Grafana v11. Grafana is a visualization and dashboarding platform that is very often used to visualize data within an organization. In a lot of cases, these Grafana instances are also exposed to the internet, which makes them vulnerable for any attacker on the internet.

Successful exploitation of CVE-2024-9264 could lead to remote code execution, which has a high impact on the full CIA triad. When an attacker can successfully exploit this vulnerability, they gain full access of the host machine, which grants them access to all files and services on this machine. Attackers can also access or try to compromise all other services and servers where the Grafana instance is connected to.

Since there is a proof of concept (PoC) available, exploitation of this vulnerability is highly likely when all conditions are met, which is in this case the use of a ‘duckdb’ binary, which is by default not installed on a Grafana instance. This vulnerability also needs a valid user account to be exploited.

Description

CVE-2024-9264 is caused since Grafana allows queries containing user input for the evaluation of ‘duckdb’-input in a new experimental feature.

These queries are insufficiently sanitized before being passed to ‘duckdb’, leading to a command injection and local file inclusion vulnerability (CVE-2024-9264). Any user with the VIEWER or higher permission is capable of executing this attack.

All versions of Grafana v11 are vulnerable for CVE-2024-9264. Under the following conditions:

  • ‘duckdb’-binary needs to be installed (Which is by default not the fact in Grafana distributions)
  • The ‘duckdb’-binary must be present in Grafana’s $PATH environment variable
  • The attackers have access to Grafana as a user who has Viewer permissions (or higher)

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Update to your Grafana v11 instance to one of the following versions:

  • 11.0.5+security-01
  • 11.1.6+security-01
  • 11.2.1+security-01
  • 11.0.6+security-01
  • 11.1.7+security-01
  • 11.2.2+security-01

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

 

References

Grafana - Blog: https://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264/