LibreNMS Authenticated Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in LibreNMS versions prior to 26.3.0. This vulnerability allows authenticated administrators to execute arbitrary code on the server by manipulating the 'Binary Locations' configuration and using the Netcommand feature. Exploitation involves bypassing input validation to execute malicious scripts, potentially compromising the underlying web server.

Impact

Successful exploitation allows authenticated administrators to execute arbitrary code on the server, with the executed code running under the same user account as LibreNMS, which could lead to a complete system compromise.

Reproduction

To reproduce this vulnerability, an authenticated administrator must first upload a malicious script to a remote server that is accessible from the LibreNMS server. The administrator can then navigate to the 'Binary Locations' settings and change the path of the 'whois' binary to point to 'wget'. After downloading the malicious script using 'wget', the binary path can be switched to 'bash' to execute the script. The exploitation process involves sending a command through the 'Netcommand' AJAX endpoint, which executes the script on the server.

Remediation

Users are advised to update LibreNMS to version 26.3.0 or later. For versions prior to 26.3.0, consider loading binary paths from a configuration file instead of the WebUI, or enforce stricter validations to prevent the bypass that allows remote code execution.