Exploit
CVE-2024-9264

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Published: Oct 18, 2024 / Updated: 33d ago

010
CVSS 9.4EPSS 0.04%Critical
CVE info copied to clipboard

Summary

The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

Impact

This vulnerability allows attackers with low-level privileges (VIEWER or higher) to execute command injection and local file inclusion attacks. The impact is severe, potentially leading to unauthorized access to sensitive data, system compromise, and disruption of services. The attack can be executed remotely over the network without user interaction, increasing its potential for widespread exploitation. The vulnerability affects the confidentiality, integrity, and availability of the system, all rated as HIGH impact.

Exploitation

One proof-of-concept exploit is available on github.com. Its exploitation has been reported by various sources, including github.com.

Patch

Patches are available. Grafana has released security updates to address this vulnerability. The security team should immediately apply the latest security patches provided by Grafana.

Mitigation

1. Apply the latest security patches provided by Grafana immediately. 2. If patching is not immediately possible, disable the SQL Expressions experimental feature in Grafana if not strictly necessary. 3. Ensure that the `duckdb` binary is not present in Grafana's $PATH. 4. Implement strict access controls, limiting VIEWER and higher permissions to only trusted users. 5. Monitor Grafana installations for suspicious activities, particularly focusing on SQL query executions. 6. Keep Grafana updated to the latest version and be prepared to apply future security patches promptly. 7. Consider implementing additional network segmentation to limit potential attack vectors. 8. Regularly audit user permissions and remove unnecessary elevated access.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9264. See article

Oct 18, 2024 at 3:19 AM / security on Grafana Labs
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 18, 2024 at 3:19 AM
CVE Assignment

NVD published the first details for CVE-2024-9264

Oct 18, 2024 at 4:15 AM
CVSS

A CVSS base score of 9.9 has been assigned.

Oct 18, 2024 at 4:15 AM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (731849)

Oct 18, 2024 at 7:53 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 18, 2024 at 10:20 AM
Exploitation in the Wild

Attacks in the wild have been reported by PoC-in-GitHub RSS. See article

Oct 19, 2024 at 7:39 PM / PoC-in-GitHub RSS
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 20, 2024 at 2:10 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (152318)

Oct 21, 2024 at 7:53 AM
Static CVE Timeline Graph

Affected Systems

Grafana/grafana
+null more

Exploits

https://github.com/nollium/CVE-2024-9264
+null more

Patches

bugzilla.redhat.com
+null more

Attack Patterns

CAPEC-242: Code Injection
+null more

Vendor Advisory

CVE-2024-9264
2316409 - grafana: Command injection and local file inclusion via SQL Expressions These SQL queries were incompletely sanitized, leading to a command injection and local file inclusion vulnerability.

References

Grafana SQL Expressions allow for remote code execution
http://grafana.com
Grafana security release: Critical severity fix for CVE-2024-9264
Today we rolled out patch releases for Grafana 11.0.x, 11.1.x, and 11.2.x that contain a fix for CVE-2024-9264, a critical severity security vulnerability in Grafana that introduced command injection and local file inclusion (LFI) via SQL expressions. Note: Out of an abundance of caution, we are releasing two sets of security patches that contain the fix for this vulnerability.
Status of Korean Servers Exposed to Grafana Vulnerability (CVE-2024-9264)
AhnLab SEcurity intelligence Center (ASEC) investigated the vulnerability status of Grafana servers operating in Korea through the ASM service to assess the vulnerability threat exposure status of its clients. A critical security vulnerability in Grafana was announced and many Korean servers have been identified as using the vulnerable versions.
See 15 more references

News

Grafana Labs SQL expressions allowing for RCE (CVE-2024-9264)
Nessus Plugin ID 211576 with High Severity Synopsis The remote host is missing a security update. Description The version of Grafana Labs installed on the remote host is affected by a vulnerability as referenced in the CVE-2024-9264 advisory. - The SQL Expressions experimental feature of Grafana allows for the evaluation of 'duckdb' queries containing user input. These queries are insufficiently sanitized before being passed to 'duckdb', leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The 'duckdb' binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution See vendor advisory Read more at https://www.tenable.com/plugins/nessus/211576
Status of Korean Servers Exposed to Grafana Vulnerability (CVE-2024-9264)
AhnLab SEcurity intelligence Center (ASEC) investigated the vulnerability status of Grafana servers operating in Korea through the ASM service to assess the vulnerability threat exposure status of its clients. A critical security vulnerability in Grafana was announced and many Korean servers have been identified as using the vulnerable versions.
Focus Friday: Third-Party Risk Insights Into Atlassian Jira, Ivanti Connect Secure, and Nostromo nhttpd Vulnerabilities With Black Kite’s FocusTags™
Black Kite’s FocusTag™ for Atlassian Jira, published on November 13, 2024, enables TPRM professionals to identify vendors potentially affected by CVE-2021-26086. Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2021-26086 because it allows unauthorized access to sensitive files on vulnerable Jira instances.
FOCUS FRIDAY: TPRM INSIGHTS ON LITESPEED CACHE, RICOH WEB IMAGE MONITOR, SQUID PROXY, AND XLIGHT FTP VULNERABILITIES WITH BLACK KITE’S FOCUSTAGS™
Black Kite’s FocusTag™ for CVE-2024-47939 was published on November 4, 2024, equipping TPRM professionals with actionable intelligence to identify and assess vendors utilizing vulnerable Ricoh printers and MFPs. By leveraging Black Kite’s platform, organizations can precisely filter and target vendors that operate affected Ricoh devices, thereby streamlining their risk assessment and mitigation processes. Have you configured firewall rules to block unauthorized IPs from accessing the device and limited access to the Web Image Monitor to trusted networks only to prevent potential exploitation of CVE-2024-47939?
CVE-2024-9264: Grafana Remote Code Execution via SQL Expressions
Finally, execute the malicious payload to establish a reverse shell connection: In this step, we will write our reverse shell payload to the target machine:
See 81 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI