[SECURITY-L] Grafana critical vulnerability risks remote code execution

[CSIRT Unicamp]

Original:
https://www.scworld.com/news/grafana-critical-vulnerability-risks-remote-code-execution

Grafana, an open-source data analytics and visualization platform, was
found to have a critical vulnerability that could lead to remote code
execution.

The flaw, tracked as CVE-2024-9264
<https://nvd.nist.gov/vuln/detail/CVE-2024-9264>, which has a CVSS v4 score
of 9.4, was introduced in Grafana version 11 released in May 2024, Grafana
Labs disclosed Thursday
<https://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264/>.
The vulnerability stems from an experimental feature called SQL
Expressions, which allows for post-processing of data source query outputs
via SQL queries to the open-source relational database management system
DuckDB.

Grafana’s SQL Expressions feature does not properly sanitize these SQL
queries to the DuckDB command line interface (CLI), which can allow for
both command injection and local file inclusion via a malicious query. This
vulnerability could be exploited by any user with a “viewer” permission or
higher, according to Grafana Labs
<https://grafana.com/security/security-advisories/cve-2024-9264/>.

SQL Expression is enabled by default for the Grafana API, however, Grafana
Lab noted that the vulnerability is only exploitable if the DuckDB binary
is installed and included in the PATH of the Grafana process’ environment,
which is not the default.

SC Media contacted Grafana and asked how many users were believed to be
using vulnerable and exploitable versions of the platform, and did not
receive a response. The open-source intelligence (OSINT) platform Netlas.io
reported <https://x.com/Netlas_io/status/1847183420599730198> that more
than 100,000 Grafana instances were “probably vulnerable to CVE-2024-9264”
Friday, including nearly 19,000 in the United States.
How to patch Grafana CVE-2024-9264

Grafana released six new versions that resolve the critical vulnerability,
including three downloads that only contain the security fix and three that
patch the flaw while also upgrading users to the most recent Grafana
versions.

Users who want to install the patch without installing the latest version
release can download versions 11.0.5+security-01
<https://grafana.com/grafana/download/11.0.5+security-01>,
11.1.6+security-01 <https://grafana.com/grafana/download/11.1.6+security-01>
or 11.2.1+security-01
<https://grafana.com/grafana/download/11.2.1+security-01>.

Users can also simultaneously patch and upgrade to the most recent versions
by installing release 11.0.6+security-01
<https://grafana.com/grafana/download/11.0.6+security-01>,
11.1.7+security-01 <https://grafana.com/grafana/download/11.1.7+security-01>
or 11.2.2+security-01 <http://Download%20Grafana%20v11.2.2+security-01>.

While Grafana Labs strongly recommended downloading the security patch “as
soon as possible,” users can also mitigate the vulnerability by removing
the DuckDB binary from their system or the PATH where it is accessible to
Grafana. SQL Expressions was the only Grafana feature that utilized DuckDB,
the company said.

The vulnerability was first discovered by Grafana staff on Sept. 26, 2024,
and Grafana began rolling out the security patch across all channels for
Grafana Cloud the following day, according to a timeline published by
Grafana Labs.

By Oct. 1, the patch was completed across all Grafana Cloud instances, and
the patch for the Grafana Open-Source Software (OSS) and Grafana Enterprise
began to be privately released on Oct. 3. The patch completely removes the
SQL Expressions functionality.

===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20241021/15585d4b/attachment-0001.html>