CVE-2024-49764
📋 TL;DR
This stored XSS vulnerability in LibreNMS allows authenticated users to inject malicious JavaScript through the device hostname parameter. When victims view the Capture Debug Information page, their session cookies can be stolen and they can be redirected to attacker-controlled sites. Only authenticated users can exploit this vulnerability.
💻 Affected Systems
- LibreNMS
📦 What is this software?
Librenms by Librenms
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals admin session cookies, gains full administrative access to LibreNMS, potentially compromising the entire monitoring system and using it as a pivot point to attack monitored devices.
Likely Case
Attacker steals session cookies of regular users, gains unauthorized access to monitoring data, and redirects users to phishing sites.
If Mitigated
With proper input validation and output encoding, the malicious payload is neutralized and no code execution occurs.
🎯 Exploit Status
Exploitation requires authenticated access. The vulnerability is straightforward to exploit once an attacker has valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.10.0
Vendor Advisory: https://github.com/librenms/librenms/security/advisories/GHSA-rmr4-x6c9-jc68
Restart Required: No
Instructions:
1. Backup your LibreNMS installation and database. 2. Update to version 24.10.0 or later using your preferred update method (git pull, package manager, or manual download). 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize hostname parameter before processing
Not applicable - requires code modification
Restrict Device Creation
allLimit device creation permissions to trusted administrators only
Not applicable - configuration change
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent JavaScript execution from untrusted sources
- Monitor and audit device creation logs for suspicious hostname entries containing script tags or JavaScript
🔍 How to Verify
Check if Vulnerable:
Check if your LibreNMS version is below 24.10.0 by visiting the web interface and checking the version in the footer or using the command line.Check Version:
cd /opt/librenms && ./lnms --versionVerify Fix Applied:
After updating, verify the version is 24.10.0 or higher and test that JavaScript in hostname fields is properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual device creation events
- Hostname parameters containing script tags or JavaScript code
- Multiple failed login attempts followed by device creation
Network Indicators:
- Outbound connections to unusual domains from LibreNMS server
- Unexpected redirects from Capture Debug Information page
SIEM Query:
source="librenms_logs" AND (hostname="*<script>*" OR hostname="*javascript:*" OR hostname="*onerror=*" OR hostname="*onload=*")