Positive Technologies discovered four vulnerabilities in Pandora FMS, an Information Technology and Monitoring solutions provider. Over 50,000 companies across five continents rely on Pandora FMS to monitor their corporate networks, applications, servers, and other data sources. The vendor was notified of the vulnerabilities in line with the responsible disclosure policy and has already released software updates.
“Two SQL injection vulnerabilities (CVE-2023-44090 and CVE-2023-44091) were discovered in Pandora FMS. Attackers could read arbitrary data from the database, such as user sessions, without logging into the system. After reading the administrator session, an attacker could gain access to the administrator panel and exploit one of the two other vulnerabilities—creating an executable file outside the directory (Path Traversal, CVE-2023-41793) or executing commands in the operating system (OS Command Injection, CVE-2023-44092). This could lead to remote code execution on the server and its complete compromise. Next, the attacker could deploy miners on the server, gain access to private data, and escalate the attack to other hosts in the corporate network,” explains Alexey Solovyev, Positive Technologies Senior Application Security Specialist, who discovered these vulnerabilities.
The vulnerabilities, including CVE-2023-44090 (BDU:2024-03166), CVE-2023-44091 (BDU:2024-03165), CVE-2023-44092 (BDU:2024-03164), and CVE-2023-41793 (BDU:2024-03167), were rated 9.1 on the CVSS 3.0 scale, which indicates a critical level of severity. To eliminate the vulnerabilities, it is necessary to update Pandora FMS to version NG 776 RRR or later.
The found vulnerabilities could have been detected as early as the product development stage by a static code analyzer like PT Application Inspector. To promptly identify vulnerabilities and prevent their exploitation (including SQL injection vulnerabilities, creating executable files outside the directory, and OS command injection), dynamic application analyzers such as PT BlackBox can help. Network traffic behavioural analysis systems also detect the exploitation of the mentioned vulnerabilities. For instance, PT Network Attack Discovery (PT NAD) detects attackers exploiting SQL injection, Path Traversal, and OS Command Injection vulnerabilities using detection rules 10010900, 10010901, 10010902, and 10010908.
Web application firewalls, such as PT Application Firewall, and its cloud-based counterpart PT Cloud Application Firewall, also offer robust defense against these security weaknesses. To reduce the threat of remote code execution (RCE) at endpoints, including servers, endpoint detection and response (EDR) security solutions such as MaxPatrol EDR can be used. Once malicious activity is detected, MaxPatrol EDR sends an alert to MaxPatrol SIEM and stops attackers in their tracks.
Previously, Alexey Solovyev helped eliminate vulnerabilities in the Nagios XI IT monitoring system, which could have led to the theft of private data and the hacking of network infrastructure.