CVE-2020-35700 in LibreNMS
Summary
by MITRE • 02/08/2021
A second-order SQL injection issue in Widgets/TopDevicesController.php (aka the Top Devices dashboard widget) of LibreNMS before 21.1.0 allows remote authenticated attackers to execute arbitrary SQL commands via the sort_order parameter against the /ajax/form/widget-settings endpoint.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/25/2021
The vulnerability CVE-2020-35700 represents a second-order sql injection flaw in the LibreNMS network monitoring platform that affects versions prior to 21.1.0. This issue specifically resides within the Widgets/TopDevicesController.php component, which is responsible for rendering the Top Devices dashboard widget. The vulnerability manifests when attackers exploit the sort_order parameter through the /ajax/form/widget-settings endpoint, enabling them to inject malicious sql commands into the application's database layer. Second-order sql injection occurs when user input is initially stored and then later retrieved and executed in a dangerous context, creating a more complex attack vector than first-order injection.
The technical implementation of this vulnerability allows authenticated attackers to manipulate the sort_order parameter which is used to determine the ordering of devices displayed in the dashboard widget. When the application processes this parameter, it fails to properly sanitize or escape the input before incorporating it into sql queries. This flaw falls under the CWE-94 weakness category, specifically related to the execution of code through improper input validation. The attack requires an authenticated session, which means that an attacker must first gain valid credentials to the LibreNMS system, but once obtained, they can leverage this vulnerability to execute arbitrary sql commands against the underlying database.
The operational impact of this vulnerability is significant as it provides attackers with the ability to perform unauthorized data access, modification, or deletion operations on the LibreNMS database. Attackers could potentially extract sensitive network information, modify device configurations, or even escalate their privileges within the monitoring system. This vulnerability directly affects the integrity and confidentiality of the network monitoring infrastructure, as the database contains critical information about network devices, their configurations, and monitoring data. The attack chain typically involves an attacker logging into the system with valid credentials, navigating to the dashboard settings, manipulating the sort_order parameter, and then executing malicious sql commands that can be processed by the backend database engine.
Mitigation strategies for CVE-2020-35700 include immediate upgrading to LibreNMS version 21.1.0 or later, which contains the necessary patches to address the sql injection vulnerability. Organizations should also implement proper input validation and sanitization measures for all user-supplied data, particularly parameters used in dynamic sql queries. The principle of least privilege should be enforced by ensuring that database accounts used by LibreNMS have minimal required permissions and that proper access controls are implemented. Additionally, regular security audits and penetration testing should be conducted to identify similar vulnerabilities in the application code. From an ATT&CK framework perspective, this vulnerability maps to T1078 Valid Accounts and T1566 Phishing as attackers typically need to obtain valid credentials to exploit this vulnerability, and T1041 Exfiltration Over C2 Channel if the attacker gains access to sensitive network data through database exploitation.