LibreNMS OS Command Injection Vulnerability Allowing Remote Code Execution

A remote code execution vulnerability has been identified in LibreNMS versions prior to 24.10.0. The issue arises from an authenticated OS command injection vulnerability that allows attackers to execute arbitrary commands on the server. This vulnerability is introduced by the AboutController's index() method, the SettingsController's update() method, and the PollDevice's initRrdDirectory() method, which can be exploited by manipulating certain configuration parameters and creating malicious directory names.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server.

Reproduction

To reproduce this vulnerability, an authenticated user can create a new device with a hostname that includes shell metacharacters. Once the device is added, the PollDevice job will create a directory named after the device's hostname, including the injected metacharacters. Afterward, the 'snmpget' configuration variable can be updated to point to a valid system binary, using the path traversal to include the malicious directory. Finally, visiting the '/about' page will trigger the payload execution.

Remediation

Users are advised to update LibreNMS to version 24.10.0 or later.