Pandora FMS 742: Authentication Bypass via SQL Injection Vulnerability

Monitoring solutions are attractive targets for attackers, as these typically have access to the devices that they monitor and serve as a starting point to compromise other parts of the infrastructure. Hence we decided to take a closer look at these during the web application security research in our Security R&D team. As a result, we discovered several code vulnerabilities in Pandora FMS console version 742.

Pandora FMS is an open source software for monitoring IT infrastructure and networks. It can monitor the status and performance of network equipment, operating systems, virtual infrastructure and all different kinds of security-sensitive applications and systems such as firewalls, databases and web servers. Its enterprise edition is used by many industry leaders, for example AON, Allianz and Toshiba.

We reported the following vulnerabilities responsibly to the affected vendor who released a security patch version 743 immediately:

  • SQL Injection (pre authentication)
  • Phar deserialization (pre authentication)
  • Remote File Inclusion (lowest privileged user)
  • Cross-Site Request Forgery (CSRF)

These vulnerabilities enable remote attackers to execute arbitrary code on any Pandora FMS 742 server. No prior knowledge, access privilege or specific configuration is required by an attacker. The systems that are connected for monitoring to Pandora FMS may be directly prone to further attacks.

We have published a blog post with a technical root cause analysis of the most severe code vulnerability, how it can be exploited by attackers (including a video), and how the vulnerable code was patched.

Read blog post

2 Likes

Nice job!