CVE-2024-35306
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary operating system commands on Pandora FMS servers by injecting malicious commands through HTTP requests to Ajax PHP files. It affects all Pandora FMS installations running versions 700 through 776. Attackers can gain complete control of affected systems.
💻 Affected Systems
- Pandora FMS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands as the web server user, potentially leading to data theft, ransomware deployment, lateral movement, and complete system takeover.
Likely Case
Remote code execution leading to web shell installation, credential harvesting, and backdoor persistence on vulnerable systems.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and least privilege principles are implemented.
🎯 Exploit Status
Command injection vulnerabilities are typically easy to exploit once the vulnerable endpoint is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 777
Vendor Advisory: https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/
Restart Required: Yes
Instructions:
1. Backup your Pandora FMS installation and database. 2. Download version 777 from the official Pandora FMS website. 3. Follow the official upgrade documentation to update to version 777. 4. Restart the Pandora FMS service and verify functionality.
🔧 Temporary Workarounds
Web Application Firewall Rule
allImplement WAF rules to block suspicious command injection patterns in HTTP requests
Network Access Control
linuxRestrict access to Pandora FMS web interface to trusted IP addresses only
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Isolate vulnerable systems in a separate network segment with strict firewall rules
- Implement application-level input validation and sanitization for all user inputs
🔍 How to Verify
Check if Vulnerable:
Check Pandora FMS version via web interface or configuration files. If version is between 700 and 776 inclusive, system is vulnerable.Check Version:
grep version /var/www/html/pandora_console/include/config.php | head -1Verify Fix Applied:
Verify version is 777 or higher and test that command injection attempts are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Ajax PHP files
- Commands like 'whoami', 'id', 'ls', 'cat' in URL parameters
- Multiple failed command injection attempts
Network Indicators:
- HTTP requests containing shell metacharacters (;, |, &, $, `)
- Outbound connections from web server to unexpected destinations
SIEM Query:
source="web_access.log" AND (url="*ajax*" AND (param="*;*" OR param="*|*" OR param="*`*" OR param="*$(*"))