CVE-2024-8975: 
NixOS vulnerability analysis and mitigation

CVE-2024-8975 is an Unquoted Search Path or Element vulnerability affecting Grafana Alloy on Windows systems. The vulnerability was discovered on September 17, 2024, and publicly disclosed on September 25, 2024. It affects Grafana Alloy versions before 1.3.3 and versions 1.4.0-rc.0 through 1.4.0-rc.1 (Grafana Advisory, NVD).

The vulnerability stems from the Grafana Alloy Windows installer not properly enclosing service executable paths in quotes. This is classified as CWE-428 (Unquoted Search Path or Element). The vulnerability has received a CVSS 3.1 base score of 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) from NIST and 7.3 HIGH (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) from Grafana Labs (NVD).

The vulnerability allows privilege escalation from a local user to SYSTEM privileges on Windows machines with Grafana Alloy installed. An attacker could exploit this by adding an executable named c:\Program.exe, which Windows services would then run with elevated privileges instead of Grafana Alloy (Grafana Blog).

Grafana Labs recommends completely removing the Grafana Alloy installation and performing a clean install, as a simple update will not resolve the issue. Alternatively, users can manually add double quotes to the registry entry at Computer\HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Services\Alloy\ImagePath. Fixed versions are available in Grafana Alloy v1.4.1 and v1.3.4 (Grafana Blog).