CVE-2024-50351
📋 TL;DR
A reflected Cross-Site Scripting (XSS) vulnerability in LibreNMS allows attackers to inject malicious JavaScript via the 'section' parameter in device logs. When users access pages with crafted parameters, attackers can steal sessions and perform unauthorized actions. This affects all LibreNMS users running versions before 24.10.0.
💻 Affected Systems
- LibreNMS
📦 What is this software?
Librenms by Librenms
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full system control, modify configurations, access sensitive network data, and pivot to other systems.
Likely Case
Attackers steal user sessions to view sensitive monitoring data, modify device configurations, or create backdoor accounts.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing exploitation.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but is trivial to craft. Proof-of-concept exists in advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.10.0
Vendor Advisory: https://github.com/librenms/librenms/security/advisories/GHSA-v7w9-63xh-6r3w
Restart Required: No
Instructions:
1. Backup your LibreNMS installation and database. 2. Update to version 24.10.0 or later using git: 'git pull origin master'. 3. Run database updates: './daily.sh'. 4. Clear browser cache.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation for 'section' parameter in the report_this() function
Modify relevant PHP files to sanitize 'section' parameter using htmlspecialchars() or similar functions
Web Application Firewall (WAF)
allDeploy WAF rules to block XSS payloads in URL parameters
Configure WAF to filter '<script>', 'javascript:', and other XSS patterns in 'section' parameter
🧯 If You Can't Patch
- Restrict access to LibreNMS web interface using network segmentation and firewall rules
- Implement Content Security Policy (CSP) headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check if LibreNMS version is below 24.10.0 by visiting /ajax_output.php?section=test<script>alert(1)</script> and observing script executionCheck Version:
grep 'version' /opt/librenms/includes/vars.php 2>/dev/null || cat /opt/librenms/.git/refs/heads/masterVerify Fix Applied:
After patching, test the same payload and confirm no script execution occurs📡 Detection & Monitoring
Log Indicators:
- Unusual 'section' parameter values in web server logs containing script tags or JavaScript
- Multiple failed XSS attempts in short timeframes
Network Indicators:
- HTTP requests with 'section' parameter containing script tags or encoded payloads
SIEM Query:
source="web_logs" AND (uri="*section=*<script>*" OR uri="*section=*javascript:*")