Exécution de code à distance authentifiée dans Thruk
Plateforme
linux
Composant
thruk
Corrigé dans
3.16.1
CVE-2024-39915 is a critical Remote Code Execution (RCE) vulnerability affecting Thruk, a web interface for monitoring systems like Naemon, Nagios, Icinga, and Shinken. An authenticated attacker can exploit this flaw to execute arbitrary commands on the server. This vulnerability impacts Thruk versions 3.15 and earlier, and a fix is available in version 3.16.
Impact et Scénarios d'Attaquetraduction en cours…
The impact of CVE-2024-39915 is severe due to the potential for complete system compromise. An attacker who can authenticate to the Thruk web interface can inject malicious commands through a URL parameter during PDF report generation. This allows them to execute arbitrary code with the privileges of the Thruk process, potentially gaining full control over the monitoring server. This could lead to data breaches, system disruption, and lateral movement within the network, as the monitoring server often has access to sensitive network information and credentials. The ability to execute arbitrary commands is akin to a shell takeover, granting the attacker a high degree of control.
Contexte d'Exploitationtraduction en cours…
CVE-2024-39915 was publicly disclosed on 2024-07-15. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. It is listed on the CISA KEV catalog, indicating a significant risk to federal executive branch agencies. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Qui Est à Risquetraduction en cours…
Organizations heavily reliant on Thruk for network monitoring are at significant risk. This includes those with legacy Thruk deployments, shared hosting environments where Thruk is installed, and those using custom reporting configurations that may not be adequately secured. Any environment where the Thruk web interface is accessible to unauthorized users is also vulnerable.
Étapes de Détectiontraduction en cours…
• linux / server:
journalctl -u thruk -f | grep -i "command injection"• linux / server:
ps aux | grep -i "/script/html2pdf.sh" && ps -ef | grep -i "/script/html2pdf.sh"• generic web:
curl -I <thruk_url>/script/html2pdf.sh?param=;id; | grep -i "HTTP/1.1 403"Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.21% (percentile 43%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Modifié — l'attaque peut pivoter au-delà du composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2024-39915 is to immediately upgrade Thruk to version 3.16 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the reporting functionality to only authorized users and closely monitor the URL parameters used in report generation. Web Application Firewalls (WAFs) can be configured to detect and block suspicious URL patterns that attempt to inject commands. Review Thruk's configuration and ensure that the Livestatus API is properly secured. After upgrading, verify the fix by attempting to generate a PDF report with a malicious URL parameter; the command injection should be prevented.
Comment corriger
Mettez à jour Thruk à la version 3.16 ou supérieure. Cette version corrige la vulnérabilité d'exécution de code à distance. Il n'existe pas de solutions de contournement connues, donc la mise à niveau est la seule solution.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2024-39915 — RCE in Thruk?
CVE-2024-39915 is a critical Remote Code Execution vulnerability in Thruk, a monitoring web interface, allowing authenticated attackers to execute commands via a URL parameter.
Am I affected by CVE-2024-39915 in Thruk?
You are affected if you are using Thruk versions 3.15 or earlier. Upgrade to version 3.16 or later to mitigate the vulnerability.
How do I fix CVE-2024-39915 in Thruk?
The recommended fix is to upgrade Thruk to version 3.16 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting access and using a WAF.
Is CVE-2024-39915 being actively exploited?
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target and likely to be exploited.
Where can I find the official Thruk advisory for CVE-2024-39915?
Refer to the official Thruk security advisory for detailed information and updates: [https://www.thruk.org/security/advisories/CVE-2024-39915](https://www.thruk.org/security/advisories/CVE-2024-39915)
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.