Grafana Alloy and Grafana Agent Flow security release: High severity fix for CVE-2024-8975 and CVE-2024-8996
Note: A bug in the installer for the original fixed versions necessitated another release. As of Thursday, Sept. 26, version numbers in this post have been updated to reflect this change.
Today we released Grafana Alloy v1.4.1 and v1.3.4 with the fix for CVE-2024-8975. This is a high severity issue that applies to Grafana Alloy Windows installations. In addition, we released Grafana Agent v0.43.3 to address the same issue in Flow mode with CVE-2024-8996. Grafana Agent Static mode is unaffected.
Note: Please read the “Mitigations” section carefully. A simple update does not resolve the issue.
Grafana Alloy release v1.4.1, latest release with security patch:
Grafana Alloy release v1.3.4, latest release with security patch:
Grafana Agent release v0.43.3, latest release with security patch:
Alloy: Permission escalation on Windows for local users (CVE-2024-8975)
Summary
The Grafana Alloy Windows installer did not enclose the service executable paths in quotes. This could lead to an escalation of privileges by a local user on the machine. A local user could add an executable named c:\Program.exe
, and Windows services would run that executable with elevated privileges instead of Grafana Alloy.
The CVSS 3.1 score for this vulnerability is 7.3 High (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
Impact
This allows an elevation of privileges by a local user on any Windows machine with Grafana Alloy installed.
Impacted versions
Any Grafana Alloy version prior to v1.3.3 and v1.4.0-rc.0 -> v1.4.0-rc.1.
Solutions and mitigations
It is recommended that you remove the Grafana Alloy installation and do a clean install. An update will not resolve the issue. An alternative would be to add the double quotes to the registry entry:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alloy\ImagePath
Timeline and post-incident review
All times are in UTC
- 2024-04-05 21:02 - Grafana Alloy 1.0 is released with the vulnerability.
- 2024-09-17 07:24 - Vulnerability is reported by customer.
- 2024-09-18 08:53 - Fix for vulnerability is checked in.
- 2024-09-18 13:21:18 - Grafana Alloy v1.4.0 RC is released with fix.
- 2024-09-25 14:20 - Public release.
- 2024-09-25 15:00 - Blog published.
- 2024-09-26 16:20 - Public releases updated.
- 2024-09-26 16:30 - Blog updated.
Agent (Flow mode): Permission escalation on Windows for local users (CVE-2024-8996)
Summary
The Grafana Agent Flow Windows installer did not enclose the service executable paths in quotes. This could lead to an escalation of privileges by a local user on the machine. A local user could add an executable named c:\Program.exe
, and Windows services would run that executable with elevated privileges instead of Grafana Agent Flow mode.
The CVSS 3.1 score for this vulnerability is 7.3 High (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
Impact
This allows an elevation of privileges by a local user on any Windows machine with Grafana Alloy installed.
Impacted versions
All Grafana Agent Flow Windows mode versions prior to v0.43.2.
Solutions and mitigations
It is recommended that you remove the Grafana Agent Flow mode installation and do a clean install. An update will not resolve the issue. An alternative would be to add the double quotes manually to:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Grafana Agent Flow
Timeline and post-incident review
All times are in UTC
- 2023-04-25 19:52 - Grafana Agent Flow Windows installer released.
- 2024-09-17 07:24 - Vulnerability is reported by customer.
- 2024-09-19 08:08 - Fix for vulnerability is checked in.
- 2024-09-25 14:20 - Public release.
- 2024-09-25 15:00 - Blog published.
- 2024-09-26 16:20 - Public release updated.
- 2024-09-26 16:30 - Blog updated.
Reporting security issues
If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.
Security announcements
We maintain a security category on our blog where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.