Full Report
A critical security vulnerability in Grafana was announced and many Korean servers have been identified as using the vulnerable versions. Grafana is widely known as an open-source platform for visualizing and monitoring data. Figure 1. Grafana login screen The CVE-2024-9264 vulnerability disclosed on October 18th, 2024 is a critical vulnerability with a CVSS […] 게시물 Status of Korean Servers Exposed to Grafana Vulnerability (CVE-2024-9264)이 ASEC에 처음 등장했습니다.
Analysis Summary
# Vulnerability: Critical RCE/LFI in Grafana via DuckDB SQL Injection
## CVE Details
- CVE ID: CVE-2024-9264
- CVSS Score: 9.9 (Critical)
- CWE: (Not explicitly stated, but implied to be related to Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') or similar command injection flaw)
## Affected Systems
- Products: Grafana
- Versions: Grafana v11.x (specifically versions starting from v11.0.0 where the feature was introduced)
- Configurations: Environments where Grafana v11.x is installed AND the DuckDB data source is accessible via environment variables.
## Vulnerability Description
The vulnerability exists in a feature added in Grafana v11.0.0 that allows the execution of SQL expressions. The system fails to properly filter user-controlled input passed to the DuckDB CLI. This allows an attacker, even with the lowest 'viewer' privilege, to inject commands. Specifically, SQL functions like `read_text`, `read_csv`, and `read_blob` can be abused by providing local file paths as arguments, leading to Local File Inclusion (LFI) and file exfiltration. Furthermore, using the `COPY – TO` query, an attacker can write arbitrary content to files on the system, including shell commands, which can then be executed to achieve Remote Command Execution (RCE).
## Exploitation
- Status: PoC available (Publicly available code)
- Complexity: Low (Exploitable out-of-the-box if prerequisites are met)
- Attack Vector: Network
## Impact
- Confidentiality: High (File exfiltration possible)
- Integrity: High (Arbitrary file creation/modification possible)
- Availability: High (System compromise leading to service disruption)
## Remediation
### Patches
- Specific patched versions are not listed, but the guidance is to apply the **latest updates immediately** for Grafana v11.x environments. (Refer to official Grafana advisories for exact safe versions).
### Workarounds
1. Remove the DuckDB executable from the system.
2. Exclude the DuckDB executable from the environment variable path where Grafana searches for executables.
## Detection
- **Indicators of Compromise (IoCs):** Look for unusual outbound network traffic originating from the Grafana server, or unexpected file creation/modification events in the filesystem.
- **Detection Methods and Tools:** Monitor web server/application logs for unusual SQL query patterns directed towards the DuckDB feature. Deploy EDR/monitoring solutions capable of detecting unauthorized shell command execution originating from the Grafana process space.
## References
- Vendor Advisories:
- AhnLab Security Advisory: hxxps://asec.ahnlab.com/en/83991/
- Grafana Blog Advisory: hxxps://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264/
- Relevant Links:
- NVD Entry: hxxps://nvd.nist.gov/vuln/detail/CVE-2024-9264