CVE-2023-4677
📋 TL;DR
This vulnerability allows attackers to obtain administrator session IDs from cron log backup files in Pandora FMS. By accessing these files, attackers can authenticate to the application as administrators without proper credentials. This affects all Pandora FMS installations up to version 772.
💻 Affected Systems
- Pandora FMS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Pandora FMS console, allowing attackers to execute arbitrary commands, access sensitive monitoring data, and potentially pivot to other systems.
Likely Case
Unauthorized administrative access to the monitoring system, enabling data theft, configuration changes, and disruption of monitoring services.
If Mitigated
Limited impact if proper access controls prevent directory traversal and file access by unauthorized users.
🎯 Exploit Status
Exploitation requires directory traversal access to the cron logs directory, which is typically accessible to any user who can reach the Pandora FMS console.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 773 and later
Vendor Advisory: https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/
Restart Required: Yes
Instructions:
1. Backup your current Pandora FMS installation. 2. Download version 773 or later from the official Pandora FMS website. 3. Follow the upgrade instructions in the Pandora FMS documentation. 4. Restart all Pandora FMS services after upgrade.
🔧 Temporary Workarounds
Restrict access to cron log directory
linuxModify file permissions to prevent unauthorized access to cron log backup files
chmod 600 /var/log/pandora/cron/*.log
chown root:root /var/log/pandora/cron/*.log
Disable cron log backups
allModify cron configuration to prevent creation of log backup files containing session IDs
Edit cron configuration to remove or modify logging that captures session data
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the Pandora FMS console
- Regularly monitor and delete cron log backup files containing sensitive session data
🔍 How to Verify
Check if Vulnerable:
Check Pandora FMS version: grep 'version' /usr/share/pandora_server/lib/PandoraFMS/Config.pm | grep -o '[0-9]\+'Check Version:
grep 'version' /usr/share/pandora_server/lib/PandoraFMS/Config.pmVerify Fix Applied:
Verify version is 773 or higher and check that cron log files no longer contain session IDs: grep -r 'session_id' /var/log/pandora/cron/📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to cron log directories
- Multiple failed login attempts followed by successful admin login from unusual IP
Network Indicators:
- Unusual HTTP requests to cron log file paths
- Administrative actions from non-admin IP addresses
SIEM Query:
source="pandora_fms" AND (path="*/cron/*.log" OR action="admin_login") | stats count by src_ip, user