Help build the future of open source observability software Open positions

Check out the open source projects we support Downloads

We cannot remember your choice unless you click the consent notice at the bottom.

Grafana Alloy and Grafana Agent Flow security release: High severity fix for CVE-2024-8975 and CVE-2024-8996

Grafana Alloy and Grafana Agent Flow security release: High severity fix for CVE-2024-8975 and CVE-2024-8996

2024-09-25 4 min

Note: A bug in the installer for the original fixed versions necessitated another release. As of Thursday, Sept. 26, version numbers in this post have been updated to reflect this change.

Today we released Grafana Alloy v1.4.1 and v1.3.4 with the fix for CVE-2024-8975. This is a high severity issue that applies to Grafana Alloy Windows installations. In addition, we released Grafana Agent v0.43.3 to address the same issue in Flow mode with CVE-2024-8996. Grafana Agent Static mode is unaffected.

Note: Please read the “Mitigations” section carefully. A simple update does not resolve the issue.

Grafana Alloy release v1.4.1, latest release with security patch:

Grafana Alloy release v1.3.4, latest release with security patch:

Grafana Agent release v0.43.3, latest release with security patch:

Alloy: Permission escalation on Windows for local users (CVE-2024-8975)

Summary

The Grafana Alloy Windows installer did not enclose the service executable paths in quotes. This could lead to an escalation of privileges by a local user on the machine. A local user could add an executable named c:\Program.exe, and Windows services would run that executable with elevated privileges instead of Grafana Alloy.

The CVSS 3.1 score for this vulnerability is 7.3 High (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

Impact

This allows an elevation of privileges by a local user on any Windows machine with Grafana Alloy installed.

Impacted versions

Any Grafana Alloy version prior to v1.3.3 and v1.4.0-rc.0 -> v1.4.0-rc.1.

Solutions and mitigations

It is recommended that you remove the Grafana Alloy installation and do a clean install. An update will not resolve the issue. An alternative would be to add the double quotes to the registry entry:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alloy\ImagePath

Timeline and post-incident review

All times are in UTC

  • 2024-04-05 21:02 - Grafana Alloy 1.0 is released with the vulnerability.
  • 2024-09-17 07:24 - Vulnerability is reported by customer.
  • 2024-09-18 08:53 - Fix for vulnerability is checked in.
  • 2024-09-18 13:21:18 - Grafana Alloy v1.4.0 RC is released with fix.
  • 2024-09-25 14:20 - Public release.
  • 2024-09-25 15:00 - Blog published.
  • 2024-09-26 16:20 - Public releases updated.
  • 2024-09-26 16:30 - Blog updated.

Agent (Flow mode): Permission escalation on Windows for local users (CVE-2024-8996)

Summary

The Grafana Agent Flow Windows installer did not enclose the service executable paths in quotes. This could lead to an escalation of privileges by a local user on the machine. A local user could add an executable named c:\Program.exe, and Windows services would run that executable with elevated privileges instead of Grafana Agent Flow mode.

The CVSS 3.1 score for this vulnerability is 7.3 High (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

Impact

This allows an elevation of privileges by a local user on any Windows machine with Grafana Alloy installed.

Impacted versions

All Grafana Agent Flow Windows mode versions prior to v0.43.2.

Solutions and mitigations

It is recommended that you remove the Grafana Agent Flow mode installation and do a clean install. An update will not resolve the issue. An alternative would be to add the double quotes manually to:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Grafana Agent Flow

Timeline and post-incident review

All times are in UTC

  • 2023-04-25 19:52 - Grafana Agent Flow Windows installer released.
  • 2024-09-17 07:24 - Vulnerability is reported by customer.
  • 2024-09-19 08:08 - Fix for vulnerability is checked in.
  • 2024-09-25 14:20 - Public release.
  • 2024-09-25 15:00 - Blog published.
  • 2024-09-26 16:20 - Public release updated.
  • 2024-09-26 16:30 - Blog updated.

Reporting security issues

If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.

Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.

Security announcements

We maintain a security category on our blog where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.