CVE-2022-29712
📋 TL;DR
CVE-2022-29712 allows remote attackers to execute arbitrary commands on LibreNMS servers through command injection vulnerabilities in service_ip, hostname, and service_param parameters. This affects all LibreNMS v22.3.0 installations, potentially giving attackers full system control. Organizations using this version for network monitoring are at immediate risk.
💻 Affected Systems
- LibreNMS
📦 What is this software?
Librenms by Librenms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with web server privileges, potentially leading to lateral movement, data exfiltration, or ransomware deployment.
Likely Case
Remote code execution leading to installation of backdoors, cryptocurrency miners, or data theft from the monitoring system.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and least privilege principles are implemented.
🎯 Exploit Status
Multiple public proof-of-concept exploits exist. The vulnerability is in web interface parameters, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v22.3.1 and later
Vendor Advisory: https://github.com/librenms/librenms/pull/13932
Restart Required: Yes
Instructions:
1. Backup your LibreNMS installation and database. 2. Update LibreNMS using git: 'git pull origin master'. 3. Run database updates: './lnms migrate'. 4. Restart web server: 'systemctl restart apache2' or 'systemctl restart nginx'. 5. Verify update with './lnms version'.
🔧 Temporary Workarounds
Input Validation Web Application Firewall
linuxDeploy WAF rules to block command injection patterns in service_ip, hostname, and service_param parameters
ModSecurity rule: SecRule ARGS "@rx [;&|`$()]" "id:1001,phase:2,deny,msg:'Command Injection Attempt'"
nginx config: location ~* \.php$ { set $args $args&service_ip=validated; }
Network Segmentation
linuxRestrict access to LibreNMS web interface to trusted IP addresses only
iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Immediately restrict network access to LibreNMS web interface using firewall rules to only allow trusted administrative IPs
- Implement web application firewall with command injection detection rules and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check LibreNMS version: './lnms version' or view web interface footer. If version is exactly 22.3.0, system is vulnerable.Check Version:
./lnms versionVerify Fix Applied:
Verify version is 22.3.1 or later with './lnms version'. Test service creation with special characters in service_ip parameter - should be rejected.📡 Detection & Monitoring
Log Indicators:
- Web server logs showing command injection patterns in service_ip, hostname, or service_param parameters
- System logs showing unexpected process execution from web server user
- LibreNMS logs with error messages related to service parameter validation
Network Indicators:
- HTTP POST requests to /ajax_form.php with shell metacharacters in parameters
- Outbound connections from LibreNMS server to suspicious IPs or domains
SIEM Query:
source="apache_access" AND (uri_path="/ajax_form.php" AND (query="*service_ip=*[;&|`$()]*" OR query="*hostname=*[;&|`$()]*" OR query="*service_param=*[;&|`$()]*"))