blog.sonicwall.com Open in urlscan Pro
107.154.76.50  Public Scan

Form analysis
1 forms found in the DOM

GET https://blog.sonicwall.com/en-us/

<form action="https://blog.sonicwall.com/en-us/" id="searchform" method="get" class="">
  <div> <input type="submit" value="" id="searchsubmit" class="button avia-font-entypo-fontello"> <input type="text" id="s" name="s" value="" placeholder="Search"></div>
</form>

Text Content

 * Home
 * Topics
   * All Posts
   * Boundless Cybersecurity
   * BYOD and Mobile Security
   * Cloud Security
   * Education
   * Email Security
   * Government
   * Healthcare
   * Industry News and Events
   * Network Security
   * Partners
   * Retail
   * Small & Medium Businesses
   * SonicWall Community
   * Threat intelligence
   * Wireless Security
 * Authors
 * English
 * Search
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * Menu

 * Facebook
 * Twitter
 * Linkedin
 * Instagram
 * Mail
 * Rss




COMMAND INJECTION AND LOCAL FILE INCLUSION IN GRAFANA: CVE-2024-9264




By Security News
October 24, 2024

OVERVIEW

The SonicWall Capture Labs threat research team became aware of a critical
vulnerability in Grafana, assessed its impact and developed mitigation measures.
Grafana is a multi-platform open-source analytics and visualization solution
that can produce charts, graphs and alerts according to the data.

Identified as CVE-2024-9264, Grafana versions 11.0.x, 11.1.x and 11.2.x allows
an attacker with ‘viewer’ or higher permission to achieve command injection and
local file inclusion (LFI) using the experimental SQL expressions feature,
earning a critical CVSS score of 9.9. Considering a publicly available proof of
concept (PoC) code exists for this vulnerability and the popularity of Grafana,
exploitation is more likely in the upcoming days.  Hence, users are strongly
encouraged to upgrade their instances to the latest applicable fixed version, as
mentioned by the vendor in the advisory.

TECHNICAL OVERVIEW

This flaw was introduced in Grafana 11 through the implementation of an
experimental feature called ‘SQL Expressions’, which allows the data source
query output to be post-processed by SQL queries. It is accomplished by passing
the query and data to the DuckDB CLI in the back end, which then executes the
query against the formatted results, called DataFrames. The issue arises due to
the SQL queries not being sanitized before execution, which can lead to LFI and
command injection.

The affected feature, SQL Expressions, was enabled for the API by default, which
is supposed to be disabled otherwise due to its experimental nature. This
enables attackers to access the feature by default through the API. The DuckDB
binary must be installed (which is not bundled with Grafana) and must be
accessible through the Grafana’s PATH environment variable to exploit the
vulnerability. This significantly reduces the probability of successful
exploitation in default installations.

The patch indicates that the SQL Expressions feature is disabled by default and
the references to the DuckDB are removed to address the vulnerability, as seen
in Figure 1.



Figure 1: Patch to address vulnerability

TRIGGERING THE VULNERABILITY

Leveraging the vulnerability mentioned above requires the attacker to meet the
below prerequisites.

 1. The system must have installed a DuckDB binary manually and its location
    must be added to the $PATH variable.
 2. The attacker must have network access to the target vulnerable system with
    ‘viewer’ permission or higher.
 3. The attacker must create a dashboard with Reduce or Math expression, as seen
    in Figure 2, and modify the expression type to ‘sql’ and inject the
    malformed SQL expression after intercepting the request.



Figure 2: Dashboard with Math expression

EXPLOITATION

Exploiting this vulnerability allows the remote threat actor to execute
arbitrary code or read sensitive files on the server. It has a high impact on
the confidentiality, integrity and availability of the system and does not
require user interaction.

We leveraged publicly available analysis to achieve an LFI on Grafana v11.2.1.
As mentioned in step 2 of the above section, the malformed SQL Expression has
been injected using the read_csv_auto() function, as seen in Figure 3. It will
respond with the contents of the Linux password file.



Figure 3: Exploit request for LFI

SONICWALL PROTECTIONS

To ensure SonicWall customers are prepared for any exploitation that may occur
due to this vulnerability, the following signatures have been released:

 * IPS: 4522 Grafana SQL Expressions Local File Inclusion

REMEDIATION RECOMMENDATIONS

The users of Grafana are strongly encouraged to upgrade their instances to the
latest version, as mentioned in the vendor advisory.

RELEVANT LINKS

 * Vendor advisory
 * POC
 * https://zekosec.com/blog/file-read-grafana-cve-2024-9264/
 * Patch

 

 * 
 * 
 * 
 * 
 * 

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets
cross-vector threat information from the SonicWall Capture Threat network,
consisting of global devices and resources, including more than 1 million
security sensors in nearly 200 countries and territories. The research team
identifies, analyzes, and mitigates critical vulnerabilities and malware daily
through in-depth research, which drives protection for all SonicWall customers.
In addition to safeguarding networks globally, the research team supports the
larger threat intelligence community by releasing weekly deep technical analyses
of the most critical threats to small businesses, providing critical knowledge
that defenders need to protect their networks.
Categories: Threat intelligence
Tags: Security News

SHARE THIS ENTRY

 * Share on Facebook
 * Share on Twitter
 * Share on Google+
 * Share on Pinterest
 * Share on Linkedin
 * Share on Tumblr
 * Share on Vk
 * Share on Reddit
 * Share by Mail



https://d3ik27cqx8s5ub.cloudfront.net/blog/media/uploads/sec-news-header-3.png
500 1200 Security News
https://blog.sonicwall.com/wp-content/uploads/images/logo/SonicWall_Registered-Small.png
Security News2024-10-24 11:01:202024-10-24 11:59:58Command Injection and Local
File Inclusion in Grafana: CVE-2024-9264


RECOMMENDED CYBER SECURITY STORIES

EmbedThis GoAhead Web Server CGI RCE
Microsoft Security Bulletin Coverage (Dec 13, 2011)
You Might Not Know You Are Still Using SSLv2.0 (July 1, 2016)
Samba spoolss Service DoS
Spam Campaign Roundup: Christmas Holiday 2021 Edition
Phobos Ransomware actively spreading in the wild
PornoBlocker - Trojan Ransomware (Jan 27, 2011)
Bublik, CyberGate, and Game of Thrones
Connect with an Expert


SEARCH




FACEBOOK


Recent
Tags
Recent
 * Command Injection and Local File Inclusion in Grafana: ...October 24, 2024 -
   11:01 am
 * Upgrade Opportunities for You and Your CustomersOctober 24, 2024 - 6:33 am
 * VMWare vCenter Server CVE-2024-38812 DCERPC Vulnerabili...October 23, 2024 -
   10:10 am
 * Cybersecurity Awareness Month: Recognizing Phishing Att...October 23, 2024 -
   8:39 am

Tags
802.11AC Advanced Threats Antivirus Awards Capture Cloud Platform Channel Cloud
App Security CRN Cyberattack Cyber Security Cybersecurity cyberthreats DDoS
Education Email Security Encrypted Attacks Encrypted Threats Endpoint Protection
endpoint security Firewall Industry Awards IoT Malware MSSP Network Security
news Next-Gen Firewalls next generation firewalls Phishing Ransomware Real-Time
Deep Memory Inspection (RTDMI) Resources Resources RSA Conference SecureFirst
Partner Program Secure Mobile Access Security Security News SMB SonicWall
Capture ATP SonicWall Capture Client SonicWall WiFi Cloud Manager Threat
Intelligence Threat Report zero-day


ABOUT SONICWALL

About Us
Leadership
Awards
News
Press Kit
Careers
Contact Us


PRODUCTS

Firewalls
Advanced Threat Protection
Remote Access
Email Security


SOLUTIONS

Advanced Threats
Risk Management
Industries
Managed Security
Use Cases
Partner Enabled Services


CUSTOMERS

How To Buy
MySonicWall.com
Loyalty & Trade-In Programs


SUPPORT

Knowledge Base
Video Tutorials
Technical Documentation
Partner Enabled Services
Support Services
CSSA and CSSP Certification Training
Contact Support
Community

© Copyright 2023 SonicWall. All Rights Reserved.
 * Facebook
 * Twitter
 * Linkedin
 * Instagram
 * Mail
 * Rss

Upgrade Opportunities for You and Your Customers




PIN IT ON PINTEREST


Scroll to top