Patch Now! Grafana Hit By 9.9 Severity Rce Vulnerability (cve-2024-9264)
Category

Summary: A critical vulnerability (CVE-2024-9264) in Grafana allows attackers to execute arbitrary code due to improper handling of SQL queries, posing a significant risk of system compromise. Grafana Labs has released patched versions and urges users to upgrade immediately to mitigate the threat.

Threat Actor: Malicious Actors | malicious actors
Victim: Grafana Users | grafana users

Key Point :

  • Vulnerability CVE-2024-9264 has a CVSS v3.1 score of 9.9, indicating a critical risk level.
  • The flaw is linked to an experimental feature called “SQL Expressions,” which allows unsafe SQL query processing.
  • Attackers can exploit this vulnerability to execute system commands or access sensitive files if they have Viewer permissions or higher.
  • Grafana Labs has released patched versions and recommends immediate upgrades to affected users.
  • As a temporary measure, users are advised to remove the DuckDB binary from their system’s PATH.

A critical security vulnerability (CVE-2024-9264) has been discovered in Grafana, the popular open-source platform for monitoring and observability. This vulnerability, with a CVSS v3.1 score of 9.9, could allow attackers to execute arbitrary code on affected systems, potentially leading to complete system compromise.

The flaw stems from an experimental feature called “SQL Expressions,” which allows users to post-process data source queries using SQL. According to the security advisory released by Grafana Labs, “These SQL queries were not sanitized completely, leading to a command injection and local file inclusion vulnerability.”

This means that malicious actors could craft queries that escape the intended SQL context and execute system commands or access sensitive files on the server. Worryingly, the advisory states that “Any Grafana user who has Viewer permissions or higher is capable of executing this attack.”

In its advisory, Grafana Labs explains, “Because of an incorrect implementation of feature flags, this experimental feature is enabled by default for the API.” This default setting, combined with the availability of the DuckDB binary in the system PATH, makes the environment vulnerable to attacks. Importantly, the DuckDB binary is not packaged with Grafana by default, meaning that only instances where DuckDB is installed and accessible via the PATH are exploitable.

Grafana Labs has acted swiftly to address CVE-2024-9264, releasing patched versions for all affected Grafana 11 releases. Users are strongly urged to upgrade to a patched version immediately:

If your instance is vulnerable, we strongly recommend upgrading to one of the patched versions of Grafana as soon as possible,” the advisory emphasizes.

As a temporary mitigation, Grafana Labs recommends removing the DuckDB binary from the system’s PATH or uninstalling it entirely.

Related Posts:

Source: https://securityonline.info/patch-now-grafana-hit-by-9-9-severity-rce-vulnerability-cve-2024-9264