CVE-2024-35304
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary system commands on Pandora FMS servers through improper input validation in the Netflow function. It affects Pandora FMS versions from 700 through 776, enabling potential full system compromise.
💻 Affected Systems
- Pandora FMS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full remote code execution, leading to data theft, system takeover, or deployment of ransomware across the network.
Likely Case
Unauthenticated attackers exploit the flaw to execute commands, potentially compromising the server and pivoting to internal systems.
If Mitigated
With strict network segmentation and input validation, impact is limited to isolated server compromise without lateral movement.
🎯 Exploit Status
Exploitation is straightforward due to command injection via improper input validation, but no public proof-of-concept has been confirmed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 777
Vendor Advisory: https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/
Restart Required: Yes
Instructions:
1. Backup your Pandora FMS configuration and data. 2. Upgrade to version 777 or later from the official Pandora FMS repository. 3. Restart the Pandora FMS services to apply the patch.
🔧 Temporary Workarounds
Disable Netflow Function
allTemporarily disable the Netflow feature to block the attack vector until patching is possible.
Edit Pandora FMS configuration to set netflow_enabled = 0 and restart services.
Network Segmentation
linuxRestrict access to Pandora FMS servers to trusted IPs only using firewall rules.
iptables -A INPUT -p tcp --dport <Pandora_port> -s <trusted_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport <Pandora_port> -j DROP
🧯 If You Can't Patch
- Implement strict input validation and sanitization for Netflow data inputs to block command injection attempts.
- Monitor and audit system logs for unusual command execution patterns and isolate the server from critical networks.
🔍 How to Verify
Check if Vulnerable:
Check the Pandora FMS version; if it is between 700 and 776, the system is vulnerable.Check Version:
cat /usr/share/pandora_server/VERSION or check via Pandora FMS web interface under 'About'.Verify Fix Applied:
After upgrading, confirm the version is 777 or higher and test Netflow functionality for any command injection attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual system command executions in Pandora FMS logs, especially related to Netflow processing.
- Error logs showing malformed input in Netflow requests.
Network Indicators:
- Suspicious inbound traffic to Pandora FMS Netflow ports with command-like payloads.
- Outbound connections from Pandora FMS server to unknown external IPs.
SIEM Query:
source="pandora_logs" AND (command_injection OR netflow AND abnormal_input)