NetbyteSEC

Multiple Vulnerabilities in LibreNMs

Title

Multiple Vulnerabilities in LibreNMS

Advisory ID

NBS-2022-0001

Product

LibreNMS

Vulnerable Version

Prior to 22.1.0

Fixed Version

22.2.0

CVE ID

CVE-2022-0575, CVE-2022-0576, CVE-2022-0580, CVE-2022-0587, CVE-2022-0588, CVE-2022-0589

Homepage

https://www.librenms.org

Discovery Date

13 February 2022

Author

Mohammad Faisal Sammio | NetbyteSEC

Product description:

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems including Cisco, Linux, FreeBSD, Juniper, Brocade, Foundry, HP and many more.

Source : https://github.com/librenms/librenms

1. Cross-site Scripting (XSS) - Stored in Packagist librenms/librenms

CVE-ID: CVE-2022-0575

Risk: Medium

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Reference: https://github.com/advisories/GHSA-hxmr-5gv9-6p8v

Description: Cross-Site Scripting vulnerability in LibreNMS v22.1.0 allows attackers to execute arbitrary javascript code in the browser of a victim which affected Devices module (Add Device) in sysName, Hardware and Community fields.

2. Cross-site Scripting (XSS) - Generic in Packagist librenms/librenms

CVE-ID: CVE-2022-0576

Risk: Medium

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Reference: https://github.com/advisories/GHSA-rp34-85x3-3764

Description: Cross-Site Scripting vulnerability in LibreNMS v22.1.0 allows attackers to execute arbitrary javascript code which affected the Alerts module (Alert Transport) in the Transport name field.

3. Cross-site Scripting (XSS) - Stored in Packagist librenms/librenms

CVE-ID: CVE-2022-0589

Risk: Medium

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Reference: https://github.com/advisories/GHSA-gj26-g5qf-jrh7

Description: Stored XSS in create/modify Transport Groups, Add/Edit Service and Edit Service Template.

4. Improper Access Control in Packagist librenms/librenms

CVE-ID: CVE-2022-0580

Risk: High

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Reference: https://github.com/advisories/GHSA-33wf-4crm-2322

Description: Improper Access Control vulnerability in LibreNMS v22.1.0 allows users with the normal role/level to interact with port-groups functionality such as create, edit/modify and delete the existing port group. The port-groups functionality fails to enforce policy such that normal users could act outside their intended permissions which are supposedly accessible by the Administrator only.

5. Improper Authorization in Packagist librenms/librenms

CVE-ID: CVE-2022-0587

Risk: High

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Reference: https://github.com/advisories/GHSA-ppfm-rj6p-38q6

Description: LibreNMS v22.1.0 allows users with the normal role/level to interact with the plugin setting resulting in the users could take action such as switching on/off any installed plugins.

6. Exposure of Sensitive Information to an Unauthorized Actor in Packagist librenms/librenms

CVE-ID: CVE-2022-0588

Risk: High

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Reference: https://github.com/advisories/GHSA-254q-rqmw-vx45

Description: LibreNMS v22.1.0 allows users with the normal role/level to view/access the alert transport details. The alert transport may expose sensitive information to an actor that is not explicitly authorized to have access to that information.

Solution:

Update to the latest version 22.2.0

Timeline:

2022-02-13: Contacting vendor through Discord and submitting private disclosure to huntr.dev

2022-02-13: Vendor response with acknowledgement and confirms security issue.

2022-02-16: Vendor releases security advisory through Twitter and patches is available on version 22.2.0.

2022-02-18: Public release of security advisory.