Security: Attackers can execute their own commands via Grafana vulnerability
The data visualization tool Grafana is vulnerable, and attackers can execute their own commands on systems and view passwords, among other things.
(Image: AFANASEV IVAN/Shutterstock.com)
A"critical" security vulnerability in Grafana puts systems at risk. Admins should quickly install one of the secure versions.
Grafana is a cross-platform open source application that collects and visualizes data from various sources such as MySQL or Prometheus. Attackers can now exploit a vulnerability (CVE-2024-9264) to attack computers. If such an attack succeeds, attackers have access to all files on a host PC, according to the Grafana developers. This can also include unencrypted passwords, which attackers can use for further propagation (Network Lateral Movement).
SQL injection
In a warning message, the developers state that only version branches 11.0.x, 11.1.x and 11.2.x are affected. Grafana 10.x is not threatened by the vulnerability. Due to insufficient checks, attackers can inject and execute their own commands via duckdb queries in the context of the SQL expression experimental feature. It is currently not known in detail how such an attack could take place.
The developers assure us that they have closed the vulnerability in the following versions:
- 11.0.5+security-01
- 11.1.6+security-01
- 11.2.1+security-01
11.0.6+security-01 - 11.1.7+security-01
- 11.2.2+security-01
If admins are unable to install security updates immediately, they should protect systems temporarily using a workaround: To do this, they must remove the vulnerable duckdb binary from the system.
Grafana claims to have discovered the vulnerability internally at the end of September this year. The security patches are available immediately. It is currently not known whether there are already attacks. It also remains unclear how admins can detect systems that have already been attacked.
(des)
