CVE-2024-12992
📋 TL;DR
This critical vulnerability in Pandora FMS allows attackers to execute arbitrary operating system commands through improper input sanitization, leading to remote code execution. It affects all Pandora FMS installations from version 700 through 777.6, potentially compromising the entire monitoring system and underlying infrastructure.
💻 Affected Systems
- Pandora FMS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands as the Pandora FMS service account, potentially gaining root/system privileges, exfiltrating sensitive data, deploying ransomware, or establishing persistent backdoors.
Likely Case
Attackers gain initial foothold on the Pandora FMS server, allowing them to pivot to other systems, steal monitoring data, or disrupt monitoring operations.
If Mitigated
Attack is contained to the Pandora FMS application with limited service account privileges, preventing lateral movement and minimizing data exposure.
🎯 Exploit Status
Command injection vulnerabilities typically have low exploitation complexity once the injection point is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 777.7 and later
Vendor Advisory: https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/
Restart Required: Yes
Instructions:
1. Backup your current Pandora FMS installation and database. 2. Download version 777.7 or later from the official Pandora FMS website. 3. Follow the official upgrade documentation for your specific deployment. 4. Restart all Pandora FMS services after upgrade completion.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Pandora FMS servers from critical infrastructure and internet access
Service Account Restriction
linuxRun Pandora FMS with minimal privileges and restrict command execution capabilities
# Example for Linux: Create limited user
sudo useradd -r -s /bin/false pandora_user
# Set appropriate file permissions
sudo chown -R pandora_user:pandora_user /var/www/pandora
🧯 If You Can't Patch
- Immediately isolate affected systems from production networks and internet access
- Implement strict network monitoring and alerting for suspicious command execution patterns
🔍 How to Verify
Check if Vulnerable:
Check the Pandora FMS version via the web interface (Help → About) or by examining the /var/www/html/pandora_console/include/config.php file version stringCheck Version:
grep 'version' /var/www/html/pandora_console/include/config.php | head -1Verify Fix Applied:
Confirm version is 777.7 or higher and test command injection attempts are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Pandora FMS logs showing unexpected shell commands
- Multiple failed authentication attempts followed by command execution
Network Indicators:
- Unexpected outbound connections from Pandora FMS servers
- Traffic to known malicious IPs or domains
SIEM Query:
source="pandora_logs" AND (command="*sh*" OR command="*bash*" OR command="*cmd*" OR command="*powershell*")