CVE-2024-51092: LibreNMS has an Authenticated OS Command Injection
An authenticated attacker can create dangerous directory names on the system and alter sensitive configuration parameters through the web portal. Those two defects combined then allows to inject arbitrary OS commands inside shell_exec()
calls, thus achieving arbitrary code execution.
With all this, an authenticated attacker can:
- Create a malicious Device with shell metacharacters inside its hostname
- Force the creation of directory containing shell metacharacters through the PollDevice job
- Modify the
snmpget
configuration variable to point to a valid system binary, while also using the directory created in the previous step via a path traversal (i.e:/path/to/install/dir/rrd/<DEVICE_HOSTNAME>/../../../../../../../bin/ls
) - Trigger a code execution via the
shell_exec()
call contained in theAboutController.php
script
References
Detect and mitigate CVE-2024-51092 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →