Status of Korean Servers Exposed to Grafana Vulnerability (CVE-2024-9264)
A critical security vulnerability in Grafana was announced and many Korean servers have been identified as using the vulnerable versions. Grafana is widely known as an open-source platform for visualizing and monitoring data.
Figure 1. Grafana login screen
The CVE-2024-9264 vulnerability disclosed on October 18th, 2024 is a critical vulnerability with a CVSS score of 9.9, allowing remote command execution (RCE) or local file inclusion (LFI) on Grafana server systems.
If this vulnerability is exploited, one can run arbitrary commands or check certain files in the server even with the viewer privilege, which is the lowest privilege level.
The vulnerable targets are environments where Grafana v11.x is installed and DuckDB is accessible through environment variables. The feature causing the vulnerability has been included since recent versions, and because there is a prerequisite of having DuckDB installed, the number of servers actually exposed to attacks is expected to be limited. However, remote command execution and file exfiltration are still possible; and since PoC code is publicly available, caution is necessary as the vulnerability can be immediately exploited for attacks.
AhnLab SEcurity intelligence Center (ASEC) investigated the vulnerability status of Grafana servers operating in Korea through the ASM service to assess the vulnerability threat exposure status of its clients.
There were 2,285 Grafana servers operating in Korea and version information for 2,168 of these servers was verified. Among these, 2,147 servers are using outdated versions (vulnerable versions), and 99% have been operating without applying updates for an extended period. 674 servers (31%) were identified as using the vulnerable version v11.x of CVE-2024-9264. Many of them were identified as Korean companies, universities, and graduate schools.
| IP | Port | Grafana Version | Domain |
|---|---|---|---|
| 210.127.*.168 |
3000 |
Grafana v11.0.0 | main-firewall.*************.net |
| 133.186.*.166 |
3000 |
Grafana v11.0.0 | ops.*************.co.kr |
| 211.35.*.195 |
53000 |
Grafana v11.0.1 | www.*******.co.kr |
| 211.239.*.9 |
80 |
Grafana v11.1.3 | app2.*******.co.kr |
| 115.165.*.231 |
8000 |
Grafana v11.2.0 | *******.co.kr |
| 183.107.*.52 |
3000 |
Grafana v11.0.1 | www.*******.com |
| 218.153.*.217 |
3000 |
Grafana v11.1.4 | pay.******.com |
| 1.214.*.250 |
30002 |
Grafana v11.2.0 | vpn.**************.co.kr |
| 141.223.*.78 |
55556 |
Grafana v11.2.0 | an*els.*******.ac.kr |
| 115.41.*.196 |
6377 |
Grafana v11.0.1 | stbt.****.co.kr |
| 58.234.*.82 |
9256 |
Grafana v11.1.0 | ze**en.************.net |
| 165.246.*.44 |
3000 |
Grafana v11.0.0 | a*x.****.ac.kr |
| 210.220.*.72 |
3000 |
Grafana v11.1.3 | bsm.***********.com |
Table 1. Examples of identified vulnerable Grafana servers
Figure 2. Grafana server vulnerability exposure status in Korea
CVE-2024-9264
A feature to execute SQL expressions was added starting from Grafana v11.0.0. In this feature, SQL queries are not properly filtered, so commands containing user input data are passed to the DuckDB CLI, allowing one to obtain the execution results. SQL functions such as read_text, read_csv, and read_blob can be executed, and by providing a local file path as an argument, one can obtain the file content.
Figure 3. CVE-2024-9264 PoC Screen (LFI)
Using the COPY – TO query, one can create files with the content they want in a system, and shell commands can also be executed by passing additional package installation commands. By writing a file with commands and reading it to execute as a shell command, arbitrary commands can be executed.
Figure 4. CVE-2024-9264 PoC Screen (RCE)
In a test environment without additional configuration, the vulnerability could be exploited simply by installing the vulnerable versions of Grafana and DuckDB. In environments using Grafana v11.x and DuckDB, the latest updates should be performed immediately. In environments that cannot readily apply patches, mitigation measures can be taken by removing the DuckDB executable or excluding it from the environment variable path.
The vulnerability discussed in this post can lead to arbitrary command executions or leakage of important files, so significant damage is expected if it is exploited. Continuing to operate with a vulnerable version may expose the system to attacks, so the latest patches should be applied immediately to prevent damage.
In addition to this case, threat actors also attempt to exploit known vulnerabilities in various popular products. Services that are in use should always be kept up to date, and various security settings should be employed to defend against threat actors’ vulnerability scanning and attack attempts. Additionally, it is recommended to regularly check Korean and global security advisories and promptly take action and check for any damage if services are affected.
ASEC publishes security advisories on major vulnerabilities on its blog. Also, if a company operating vulnerable services is identified among AhnLab TIP service subscribers, a customized report is provided. This service ensures that the vulnerability information of our clients is not exposed externally and enables the safe operation of services by delivering the necessary information privately to the clients.
AhnLab Security Advisory
[Security Advisory] Grafana Security Update Advisory (CVE-2024-9264)
https://asec.ahnlab.com/en/83991/
Related Links
https://nvd.nist.gov/vuln/detail/CVE-2024-9264
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
