CVE-2019-12463

Vulnerability

Description The vulnerability lies in the LibreNMS graphing scripts includes/html/graphs/common.inc.php and includes/html/graphs/graphs.inc.php. These scripts fail to properly validate or encode several user-supplied input fields. While some parameters are sanitized with mysqli_real_escape_string (only effective against SQL injection), others are left unfiltered, allowing injection of arbitrary RRDtool syntax via newline characters through html/graph.php and html/graph-realtime.php [1].

Exploitation

An authenticated attacker can inject RRDtool commands by crafting malicious input to the graphing parameters. The injection leverages newline characters to break out of intended RRDtool command structures. This requires authentication, unlike the related CVE-2019-10665, and the specific pathnames differ [1].

Impact

RRDtool's syntax is versatile, enabling an attacker to perform multiple malicious actions: disclosing directory structure and file names, reading file contents, causing denial of service, or writing arbitrary files to the server. The full impact depends on the server's configuration and the privileges of the LibreNMS process [1].

Mitigation

No official patch is detailed in the available reference. Users should update to a fixed version if available, or restrict access to the affected scripts to trusted users only. The requirement for authentication reduces the attack surface compared to unauthenticated vulnerabilities [1].