CVE-2023-34254 – CVE-2023-34254 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-34254?

CVE-2023-34254 has a CVSS score of 7.6 (HIGH). CVE-2023-34254 is a command injection vulnerability in GLPI Agent that allows authenticated remote administrators to execute arbitrary commands on Unix systems where the agent runs with elevated privileges. This could lead to full system compromise and disclosure of remote access credentials. Systems running GLPI Agent versions before 1.5 with remoteinventory tasks against Unix platforms are affected.

📋 TL;DR

CVE-2023-34254 is a command injection vulnerability in GLPI Agent that allows authenticated remote administrators to execute arbitrary commands on Unix systems where the agent runs with elevated privileges. This could lead to full system compromise and disclosure of remote access credentials. Systems running GLPI Agent versions before 1.5 with remoteinventory tasks against Unix platforms are affected.

💻 Affected Systems

Products:

GLPI Agent

Versions: All versions before 1.5

Operating Systems: Unix/Linux platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where glpi-agent runs remoteinventory tasks against Unix platforms using SSH. The agent must be running with administration privileges for full impact.

📦 What is this software?

Glpi Agent by Glpi Project

View all CVEs affecting Glpi Agent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, allowing complete control over the host, credential theft, and lateral movement within the network.

🟠

Likely Case

Privilege escalation to root/admin level on the agent host, enabling installation of backdoors, data exfiltration, and persistence mechanisms.

🟢

If Mitigated

Limited impact if agent runs with minimal privileges and proper network segmentation prevents lateral movement.

🌐 Internet-Facing: MEDIUM - Requires authenticated remote administrator access, but if exposed, could lead to significant compromise.

🏢 Internal Only: HIGH - Internal administrators with access to Unix systems running vulnerable agents can exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated administrator access to the remote Unix system. The command injection occurs in a specific workflow when processing SSH commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5

Vendor Advisory: https://github.com/glpi-project/glpi-agent/security/advisories/GHSA-39vc-hxgm-j465

Restart Required: Yes

Instructions:

1. Stop all glpi-agent services. 2. Backup configuration files. 3. Upgrade to glpi-agent version 1.5 or later using your package manager or from source. 4. Restart glpi-agent services. 5. Verify the upgrade was successful.

🔧 Temporary Workarounds

Disable remoteinventory tasks

linux

Temporarily disable remoteinventory tasks to prevent exploitation while planning upgrade.

Edit glpi-agent configuration to remove or comment out remoteinventory tasks
Restart glpi-agent service

Run agent with reduced privileges

linux

Configure glpi-agent to run with non-administrative privileges to limit impact.

Create dedicated low-privilege user for glpi-agent
Modify service configuration to run as non-root user
Set appropriate file permissions

🧯 If You Can't Patch

Implement strict access controls to limit who can access Unix systems where glpi-agent runs remoteinventory tasks.
Deploy network segmentation to isolate systems running vulnerable glpi-agent versions from critical infrastructure.

🔍 How to Verify

Check if Vulnerable:

Check glpi-agent version: 'glpi-agent --version' or 'rpm -q glpi-agent' or 'dpkg -l glpi-agent'. If version is below 1.5 and remoteinventory tasks are configured, system is vulnerable.

Check Version:

glpi-agent --version

Verify Fix Applied:

Verify glpi-agent version is 1.5 or higher: 'glpi-agent --version'. Check that remoteinventory tasks still function properly after upgrade.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns in glpi-agent logs
SSH connection attempts from glpi-agent to unexpected hosts
Process execution with unexpected arguments in system logs

Network Indicators:

Unexpected outbound connections from glpi-agent hosts
SSH traffic patterns inconsistent with normal inventory operations

SIEM Query:

source="glpi-agent" AND (event="command_execution" OR event="remote_inventory") AND command="*;*" OR command="*|*" OR command="*`*"

📊 Metadata

CVE ID: CVE-2023-34254

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-78

Published: June 23, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/glpi-project/glpi-agent/blob/dd313ee0914becf74c0e48cb512765210043b478/Changes#L98 Patch
https://github.com/glpi-project/glpi-agent/security/advisories/GHSA-39vc-hxgm-j465 Mitigation,Vendor Advisory
https://github.com/glpi-project/glpi-agent/blob/dd313ee0914becf74c0e48cb512765210043b478/Changes#L98 Patch
https://github.com/glpi-project/glpi-agent/security/advisories/GHSA-39vc-hxgm-j465 Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-34254, you might also want to check these: