LibreNMS 1.65 is affected by an authenticated command-injection vulnerability in the
/about API endpoint. A ‘normal’ privileges attacker can gain Remote Code Execution (RCE) on the LibreNMS host.
“LibreNMS is an autodiscovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems including Cisco, Linux, FreeBSD, Juniper, Brocade, Foundry, HP and many more”. For more information on LibreNMS, visit https://www.librenms.org/.
/about endpoint reports some information about the LibreNMS such as the web-server and
rrdtool versions in use. Even though it is not shown in the user interface, the
snmpget version information is read via a shell call in https://github.com/librenms/librenms/blob/1.65/app/Http/Controllers/AboutController.php#L82:
Such configuration is manageable also by ‘normal’ privilege users, which is the lowest user privilege possible in LibreNMS, via a single HTTP POST request to
By setting it to a command it is possible to inject arbitrary shell commands in the
/about endpoint rendering.
X-CSRF-TOKENHTTP header and
laravel_sessionHTTP cookies values
[LibreNMS host ip/hostname]/aboutin the logged-in session, which will trigger the malicious command execution and send the HTTP request to our listener:
A low-privileged attacker can gain Remote Code Execution (RCE) on the LibreNMS host.
/settings API endpoints now require administrator privileges.
Upgrade to LibreNMS v1.65.1 or later.
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
10 July 2020