CVE-2019-10665

Vulnerability

CVE-2019-10665 is a command injection vulnerability in LibreNMS, a network monitoring system, affecting versions through 1.47. The issue lies in the html/includes/graphs/common.inc.php and html/includes/graphs/graphs.inc.php scripts, which fail to properly validate or encode user-supplied input when handling graphing options. While some parameters are sanitized with mysqli_real_escape_string (effective only against SQL injection), others are left unfiltered, allowing the injection of arbitrary RRDtool syntax with newline characters via the html/graph.php script [1].

Exploitation

An attacker can exploit this by sending specially crafted requests to the graph.php endpoint. The injection of newline-separated RRDtool commands enables the attacker to execute arbitrary RRDtool instructions. No authentication is required if the graphing interface is exposed; LibreNMS is often deployed internally, but unauthenticated access to the web UI may be possible depending on configuration [2]. The vulnerability does not require direct access to the underlying OS, only HTTP access to the LibreNMS instance.

Impact

Successful exploitation can lead to several severe outcomes: disclosure of directory structure and filenames, reading of arbitrary file contents (e.g., configuration files containing credentials), overwriting of files (potentially leading to remote code execution), or denial of service by corrupting RRD databases. The flexibility of RRDtool syntax means an attacker can chain commands to achieve a variety of malicious goals [1].

Mitigation

The vulnerability is fixed in LibreNMS versions after 1.47. The project recommends upgrading to the latest release immediately. No workaround is available that completely eliminates the risk; restricting network access to the LibreNMS web interface can reduce exposure but does not patch the underlying flaw [1].