CVE-2019-19681 Pandora FMS 7.xx Remote Code Execution via the Alert Manager

Note: I copied the article from medium to my home page, so the content is unchanged.

I found a security vulnerability in PandoraFMS 7 Monitoring System. As an authenticated user it is possible to modify or configure alerts, actions and commands. An alert can be triggered manually and the system will execute the connected commands in the context of the Application. The commands can be modified via the Web Application and it simply accepts everything as a command. I used the alert system to obtain root access on the vendor-provided virtual machine.

I got in touch with the vendor and I sent them the vulnerability report in a secure way. They analysed the vulnerability and a few days later I got an answer:

"we open a ticket with the vulnerability you reported to us and after analysing the situation, we can't limit the use of commands because the functionality is like that. What we have been able to make more restrictive is the user profile that can create the commands. Thank you very much for your contribution!"

I understand the "business" point of view, but I do not agree and I sent them a possible solution. These commands can be defined and stored in a configuration file on the host operating system. The commands can be used in the Web Application, but they are immutable and predefined from the Web Application point of view.

What happend and what is the current status?

I posted the whole thing on medium and I reported it to MITRE/NVD. NVD analyzed it and they said it is a vulnerability and it got an 8.8 CVSS3 score. (CVE-2019-19681)

The vendor came up with the following blog post: (link). They explained in it why my finding is not a security issue. There is an ongoing reanalysis by NVD, so the current status is DISPUTED. (2020.01.28.)

What I think about it?

I think it is a Web Application and it is not allowed to define commands like this even with a Web Admin account. The default configuration is vulnerable and the software documentation does not contain anything about it or anything about the prevention.

I think the firewall part of their explanation is a "half true". E.g: I can store a simple command as a string in their database. The firewall has nothing to do with it and later the system will execute the command. What if the command is just a simple "rm -rf /*" which has no network impact?

If the application is running with www_data rights only and the remote shell or the remote command is just executed as www_data it is still a Remote Code Execution vulnerability.

I think NVD will change the description to be "more precise", but the vulnerability remains.

Technical Details

The Target IP address was 192.168.0.33 and the Attacker IP address was 192.168.0.37.

1. Login with the default credentials (pandora, admin)

1

2. Create an Alert

2

3. Select the Alerts option of pandorafms

3

4. Add an Alert and select the "Mail to Admin" Action

4

5. Select Commands from the menu

5

6. Add Command

6

7. Configure Mail to Admin

7 8

8. Listen on port 9000

9

9. Trigger the alert manually

10 11 12

10. Proof

13