Who is at risk from CVE-2024-9264 in Grafana?

Users with 'viewer' permissions or higher can exploit the vulnerability if the DuckDB binary is installed and included in the PATH of the Grafana process environment. This setup is not the default configuration, but it poses a risk to over 100,000 Grafana instances globally, with nearly 19,000 located in the United States.

How can users mitigate the Grafana vulnerability CVE-2024-9264?

Users can mitigate the vulnerability by updating to one of the patched versions: Grafana 11.0.5+security-01, 11.1.6+security-01, 11.2.1+security-01, 11.0.6+security-01, 11.1.7+security-01, or 11.2.2+security-01. Alternatively, users can remove the DuckDB binary from their systems or from the PATH accessible to Grafana to prevent exploitation.

What changes were made in the patched versions of Grafana?

In the patched versions of Grafana, the 'SQL Expressions' feature has been entirely disabled to prevent exploitation. Grafana Labs has also released security-only patches as well as patches that include general upgrades.

How many Grafana instances are potentially vulnerable to CVE-2024-9264?

According to open-source intelligence (OSINT) data from Netlas.io, over 100,000 Grafana instances may be vulnerable to CVE-2024-9264, with nearly 19,000 located in the United States.

What steps has Grafana Labs taken to address the vulnerability?

Grafana Labs has released six patched versions of Grafana to address the vulnerability. Additionally, the 'SQL Expressions' feature has been disabled in these versions, and users are strongly advised to apply the security patches or remove the DuckDB binary from their environments.

Advisory

Grafana Labs reports critical flaw in Grafana 11

Q: What is the critical vulnerability in Grafana?

The critical vulnerability in Grafana, tracked as CVE-2024-9264 (CVSS score 9.4), affects Grafana version 11 and newer. It is linked to the 'SQL Expressions' feature, which allows attackers to execute arbitrary commands or include local files via malicious SQL queries sent to DuckDB. The flaw is due to improper sanitization of SQL queries, leading to command injection and local file inclusion.

published: Oct. 19, 2024

Take action: If you are using Grafana 11 or newer, patch now or remove DuckDB binary from the systems or from the PATH accessible to Grafana (ideally both). The vulnerability has some prerequisites - a real user to authenticate, but any Grafana system has a lot of users. Don't bet on them not being breached. Patch quickly, or disable the DuckDB.

Learn More

Grafana Labs, the company behind the popular open-source data analytics and visualization platform Grafana, has disclosed a critical vulnerability that could lead to remote code execution.

The flaw is tracked as CVE-2024-9264 (CVSS score 9.4), was identified in Grafana version 11 and newer. The vulnerability was linked to the "SQL Expressions" feature, introduced as an experimental capability for post-processing data source outputs using SQL queries directed at DuckDB, an open-source relational database. The vulnerability allows attackers to execute arbitrary commands or include local files via malicious SQL queries.

The SQL Expressions feature fails to properly sanitize SQL queries sent to DuckDB’s command line interface (CLI), enabling both command injection and local file inclusion. The vulnerability is exploitable by any user with “viewer” permissions or higher. It only poses a risk if the DuckDB binary is installed and included in the PATH of the Grafana process environment—this is not a default configuration.

Open-source intelligence (OSINT) data from Netlas.io suggests that over 100,000 Grafana instances may be vulnerable to CVE-2024-9264, with nearly 19,000 of these located in the United States.

Grafana Labs has released six new versions to address this vulnerability:

Security-Only Patches:
- Grafana 11.0.5+security-01
- Grafana 11.1.6+security-01
- Grafana 11.2.1+security-01
Patch and Upgrade:
- Grafana 11.0.6+security-01
- Grafana 11.1.7+security-01
- Grafana 11.2.2+security-01

Grafana strongly recommends applying the security patch as soon as possible. Users can also mitigate the vulnerability by removing the DuckDB binary from their systems or from the PATH accessible to Grafana. The company has disabled SQL Expressions entirely in patched versions to prevent exploitation.

Grafana Labs reports critical flaw in Grafana 11

Read More
OpenAI's ChatGPT infrastructure under active attack: CVE-2024-27564 exploitation
AdGuard Home Patches Critical Authentication Bypass Vulnerability
Sophos warns of Akira and Fog ransomware gangs …
CISA warns of active exploitation of critical PaperCut …
PaperCut Critical Vulnerability exposing Path Traversal/File Upload RCE