CVE-2020-8947
published 2020-02-12CVE-2020-8947: functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the…
PriorityP264high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
22.48%
97.4th percentile
functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the index.php?operation/netflow/nf_live_view ip_dst, dst_port, or src_port parameter, a different vulnerability than CVE-2019-20224.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| artica | pandora_fms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to the netflow live view endpoint with shell metacharacters (e.g., double-quote, semicolon) in the ip_dst, ip_src, dst_port, or src_port POST body parameters. ↗
- →Alert on POST requests to /pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view containing nc -e /bin/sh or similar reverse-shell payloads in form fields. ↗
- →Monitor for the exploit's characteristic User-Agent string 'Mozilla/5.0 Gecko/20100101 Firefox/72.0' combined with POST requests to the Pandora FMS netflow endpoint, as this is hardcoded in the public exploit. ↗
- →The exploit requires prior authentication; correlate a successful login POST to /pandora_console/index.php?login=1 immediately followed by a POST to the nf_live_view endpoint from the same session/IP. ↗
- →Payload position may vary across ip_src, dst_port, or src_port fields in addition to ip_dst; inspect all four POST parameters for shell metacharacters. ↗
- ·Exploitation requires valid credentials; unauthenticated attackers cannot reach the vulnerable code path directly. ↗
- ·This is a distinct vulnerability from CVE-2019-20224 despite affecting the same netflow functionality; ensure detections cover both CVEs independently. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/156326/Pandora-FMS-7.0-Authenticated-Remote-Code-Execution.htmlhttps://engindemirbilek.github.io/pandorafms-rcehttps://github.com/EnginDemirbilek/EnginDemirbilek.github.io/blob/master/pandorafms-rce.htmlhttp://packetstormsecurity.com/files/156326/Pandora-FMS-7.0-Authenticated-Remote-Code-Execution.htmlhttps://engindemirbilek.github.io/pandorafms-rcehttps://github.com/EnginDemirbilek/EnginDemirbilek.github.io/blob/master/pandorafms-rce.html
2020-02-12
Published