LibreNMS Authentication Bypass Vulnerability

15 July 2019

 

CVE   

 

CVE-2019-10668

 

CVSS SCORE

 

8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N)

 

XID

 

XL-19-016

 

AFFECTED VENDORS

 

LibreNMS (www.librenms.org)

 

CREDIT

 

Eldar Marcussen - xen1thLabs - Software Labs

 

VULNERABILITY SUMMARY       

 

 

Several of the LibreNMS scripts do not correctly enforce or completely lacks authentication checks. Attackers can take advantage of this to access several scripts, including some that suffer from additional vulnerabilities. This vulnerability can be combined with other vulnerabilities identified by xen1thLabs to achieve unauthenticated remote code execution.

 

TECHNICAL DETAILS

     

 

A number of scripts import the Authentication libraries, but does not enforce an actual authentication check. Several of these scripts disclose information or expose functions that are of sensitive nature and are not expect to be publicly accessible.

 

PROOF OF CONCEPT 

 

An example can be found in “html/pages/about.inc.php”

 

 

<?php

use LibreNMS\Authentication\LegacyAuth;

$pagetitle[] = 'About';

$git_log = `git log -10`;

?>

<div class="modal fade" id="git_log" tabindex="-1" role="dialog" aria-labelledby="git_log_label" aria-hidden="true">

  <div class="modal-dialog">

    <div class="modal-content">

      <div class="modal-header">

 

 

Figure 1: About library script missing the authentication check

 

 

The lack of authentication check can be verified with the following command:

$ curl 'https://host/pages/about.inc.php'

 

AFFECTED SYSTEMS  

  

LibreNMS 1.47 and older

 

SOLUTION  

 

Upgrade to the latest version of LibreNMS 

 

DISCLOSURE TIMELINE 

 

 

 

26/03/2019 - Contacted LibreNMS developer requesting disclosure coordination

28/03/2019 - Provided vulnerability details

16/04/2019 – Version 1.50.1 released which resolves this issue

15/07/2019 – xen1thLabs public disclosure