CVE-2024-11320
📋 TL;DR
This vulnerability allows attackers to execute arbitrary commands on Pandora FMS servers by exploiting a command injection flaw in the LDAP authentication mechanism. Attackers can gain full control of affected systems. All Pandora FMS installations from version 700 through 777.4 are vulnerable.
💻 Affected Systems
- Pandora FMS
📦 What is this software?
Pandora Fms by Pandorafms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining root/administrator access, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Unauthorized command execution leading to service disruption, data theft, or deployment of ransomware/malware.
If Mitigated
Limited impact if network segmentation, strict firewall rules, and monitoring prevent exploitation attempts.
🎯 Exploit Status
Exploitation requires LDAP authentication access but command injection is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 777.5 or later
Vendor Advisory: https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/
Restart Required: Yes
Instructions:
1. Backup your current installation. 2. Download Pandora FMS 777.5 or later from official sources. 3. Follow the upgrade guide at https://pandorafms.com/docs/. 4. Restart all Pandora FMS services.
🔧 Temporary Workarounds
Disable LDAP Authentication
allTemporarily disable LDAP authentication to prevent exploitation while planning upgrade.
Edit Pandora FMS configuration to remove LDAP settings or switch to local authentication
Network Segmentation
linuxRestrict access to Pandora FMS LDAP port (default 389) to trusted sources only.
iptables -A INPUT -p tcp --dport 389 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 389 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the Pandora FMS LDAP interface
- Enable detailed logging and monitoring for suspicious LDAP authentication attempts and command execution patterns
🔍 How to Verify
Check if Vulnerable:
Check Pandora FMS version via web interface or configuration files. Versions 700-777.4 are vulnerable.Check Version:
cat /etc/pandora/pandora_server.conf | grep dbversion or check web interface About pageVerify Fix Applied:
Verify version is 777.5 or later and test LDAP authentication functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual LDAP authentication patterns
- Suspicious command execution in system logs
- Unexpected process creation from Pandora FMS services
Network Indicators:
- Unusual outbound connections from Pandora FMS server
- LDAP authentication from unexpected sources
SIEM Query:
source="pandora_fms" AND (event="command_execution" OR ldap_auth="*;*" OR ldap_auth="*|*")