CVE-2024-12971
📋 TL;DR
This CVE allows attackers to execute arbitrary operating system commands on Pandora FMS servers by injecting malicious input into vulnerable parameters. It affects all Pandora FMS installations from version 700 through 777.6, potentially giving attackers full control over affected systems.
💻 Affected Systems
- Pandora FMS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands as the web server user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attackers gain shell access to the Pandora FMS server, allowing them to read sensitive configuration files, modify monitoring data, or use the server as a pivot point for further attacks.
If Mitigated
With proper input validation and command sanitization, the vulnerability would be prevented, limiting attackers to legitimate application functionality.
🎯 Exploit Status
Exploitation requires finding vulnerable parameters and crafting appropriate command injection payloads. Authentication may be required depending on the specific vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 777.7 and later
Vendor Advisory: https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/
Restart Required: No
Instructions:
1. Backup your current Pandora FMS installation and database. 2. Download the latest version from the official Pandora FMS website. 3. Follow the official upgrade guide for your specific version path. 4. Verify the upgrade was successful by checking the version number.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation for all user-supplied parameters that could be used in system commands
Web Application Firewall Rules
allDeploy WAF rules to block command injection patterns in HTTP requests
🧯 If You Can't Patch
- Isolate Pandora FMS servers in a dedicated network segment with strict firewall rules limiting inbound and outbound connections
- Implement network-based intrusion detection systems to monitor for command injection attempts and unusual outbound connections
🔍 How to Verify
Check if Vulnerable:
Check the Pandora FMS version via the web interface (Help → About) or by examining the /var/www/html/pandora_console/include/config.php fileCheck Version:
grep 'version' /var/www/html/pandora_console/include/config.php | head -1Verify Fix Applied:
Confirm the version is 777.7 or higher and test previously vulnerable endpoints with safe command injection test payloads📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns in system logs
- Multiple failed login attempts followed by successful access
- Web server logs showing suspicious characters like ;, |, &, $, (, ) in URL parameters
Network Indicators:
- Unexpected outbound connections from Pandora FMS servers
- Traffic to known malicious IPs or domains
- Unusual port activity from web server processes
SIEM Query:
source="pandora_access.log" AND (uri="*;*" OR uri="*|*" OR uri="*&*" OR uri="*$(*" OR uri="*`*")