cbcvebase.
CVE-2019-10669
published 2019-09-09

CVE-2019-10669: An issue was discovered in LibreNMS through 1.47. There is a command injection vulnerability in html/includes/graphs/device/collectd.inc.php where user…

PriorityP269high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
80.66%
99.6th percentile
An issue was discovered in LibreNMS through 1.47. There is a command injection vulnerability in html/includes/graphs/device/collectd.inc.php where user supplied parameters are filtered with the mysqli_escape_real_string function. This function is not the appropriate function to sanitize command arguments as it does not escape a number of command line syntax characters such as ` (backtick), allowing an attacker to inject commands into the variable $rrd_cmd, which gets executed via passthru().

Affected

1 ranges
VendorProductVersion rangeFixed in
librenmslibrenms<= 1.47

Detection & IOCsextracted from sources · hover to see the quote

url/graph.php
pathhtml/includes/graphs/device/collectd.inc.php
commandfrom=1`<payload>`
  • Monitor HTTP GET requests to /graph.php with parameters type=device_collectd and a 'from' or 'to' parameter containing backtick characters (`) which are used to inject OS commands.
  • Alert on GET requests to /graph.php where query parameters include type=device_collectd alongside c_plugin, c_type, c_plugin_instance, and c_type_instance — this is the full parameter set used by the exploit to reach the vulnerable code path.
  • Detect exploitation attempts by inspecting the $rrd_cmd variable passed to passthru() in collectd.inc.php for backtick-delimited subshell expressions originating from unsanitized 'from'/'to' HTTP parameters.
  • ·Exploitation requires a valid authenticated session; the attacker must supply working LibreNMS credentials (USERNAME/PASSWORD) and at least one device with a Collectd plugin configured.
  • ·The root cause is misuse of mysqli_escape_real_string() for OS command argument sanitization — it does not escape backticks or other shell metacharacters, making it unsuitable for this purpose.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.