Grafana critical vulnerability risks remote code execution

Grafana, an open-source data analytics and visualization platform, was found to have a critical vulnerability that could lead to remote code execution.

The flaw, tracked as CVE-2024-9264, which has a CVSS v4 score of 9.4, was introduced in Grafana version 11 released in May 2024, Grafana Labs disclosed Thursday. The vulnerability stems from an experimental feature called SQL Expressions, which allows for post-processing of data source query outputs via SQL queries to the open-source relational database management system DuckDB.

Grafana’s SQL Expressions feature does not properly sanitize these SQL queries to the DuckDB command line interface (CLI), which can allow for both command injection and local file inclusion via a malicious query. This vulnerability could be exploited by any user with a “viewer” permission or higher, according to Grafana Labs.

SQL Expression is enabled by default for the Grafana API, however, Grafana Lab noted that the vulnerability is only exploitable if the DuckDB binary is installed and included in the PATH of the Grafana process’ environment, which is not the default.

SC Media contacted Grafana and asked how many users were believed to be using vulnerable and exploitable versions of the platform, and did not receive a response. The open-source intelligence (OSINT) platform Netlas.io reported that more than 100,000 Grafana instances were “probably vulnerable to CVE-2024-9264” Friday, including nearly 19,000 in the United States.

How to patch Grafana CVE-2024-9264

Grafana released six new versions that resolve the critical vulnerability, including three downloads that only contain the security fix and three that patch the flaw while also upgrading users to the most recent Grafana versions.

Users who want to install the patch without installing the latest version release can download versions 11.0.5+security-01, 11.1.6+security-01 or 11.2.1+security-01.

Users can also simultaneously patch and upgrade to the most recent versions by installing release 11.0.6+security-01, 11.1.7+security-01 or 11.2.2+security-01.  

While Grafana Labs strongly recommended downloading the security patch “as soon as possible,” users can also mitigate the vulnerability by removing the DuckDB binary from their system or the PATH where it is accessible to Grafana. SQL Expressions was the only Grafana feature that utilized DuckDB, the company said.

The vulnerability was first discovered by Grafana staff on Sept. 26, 2024, and Grafana began rolling out the security patch across all channels for Grafana Cloud the following day, according to a timeline published by Grafana Labs.

By Oct. 1, the patch was completed across all Grafana Cloud instances, and the patch for the Grafana Open-Source Software (OSS) and Grafana Enterprise began to be privately released on Oct. 3. The patch completely removes the SQL Expressions functionality.