Plataforma
linux
Componente
thruk
Corrigido em
3.16.1
CVE-2024-39915 is a critical Remote Code Execution (RCE) vulnerability affecting Thruk, a web interface for monitoring systems like Naemon, Nagios, Icinga, and Shinken. An authenticated attacker can exploit this flaw to execute arbitrary commands on the server. This vulnerability impacts Thruk versions 3.15 and earlier, and a fix is available in version 3.16.
The impact of CVE-2024-39915 is severe due to the potential for complete system compromise. An attacker who can authenticate to the Thruk web interface can inject malicious commands through a URL parameter during PDF report generation. This allows them to execute arbitrary code with the privileges of the Thruk process, potentially gaining full control over the monitoring server. This could lead to data breaches, system disruption, and lateral movement within the network, as the monitoring server often has access to sensitive network information and credentials. The ability to execute arbitrary commands is akin to a shell takeover, granting the attacker a high degree of control.
CVE-2024-39915 was publicly disclosed on 2024-07-15. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. It is listed on the CISA KEV catalog, indicating a significant risk to federal executive branch agencies. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Organizations heavily reliant on Thruk for network monitoring are at significant risk. This includes those with legacy Thruk deployments, shared hosting environments where Thruk is installed, and those using custom reporting configurations that may not be adequately secured. Any environment where the Thruk web interface is accessible to unauthorized users is also vulnerable.
• linux / server:
journalctl -u thruk -f | grep -i "command injection"• linux / server:
ps aux | grep -i "/script/html2pdf.sh" && ps -ef | grep -i "/script/html2pdf.sh"• generic web:
curl -I <thruk_url>/script/html2pdf.sh?param=;id; | grep -i "HTTP/1.1 403"disclosure
Status do Exploit
EPSS
0.21% (percentil 43%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-39915 is to immediately upgrade Thruk to version 3.16 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the reporting functionality to only authorized users and closely monitor the URL parameters used in report generation. Web Application Firewalls (WAFs) can be configured to detect and block suspicious URL patterns that attempt to inject commands. Review Thruk's configuration and ensure that the Livestatus API is properly secured. After upgrading, verify the fix by attempting to generate a PDF report with a malicious URL parameter; the command injection should be prevented.
Atualize Thruk para a versão 3.16 ou superior. Esta versão corrige a vulnerabilidade de execução remota de código. Não existem workarounds conhecidos, portanto, a atualização é a única solução.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-39915 is a critical Remote Code Execution vulnerability in Thruk, a monitoring web interface, allowing authenticated attackers to execute commands via a URL parameter.
You are affected if you are using Thruk versions 3.15 or earlier. Upgrade to version 3.16 or later to mitigate the vulnerability.
The recommended fix is to upgrade Thruk to version 3.16 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting access and using a WAF.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target and likely to be exploited.
Refer to the official Thruk security advisory for detailed information and updates: [https://www.thruk.org/security/advisories/CVE-2024-39915](https://www.thruk.org/security/advisories/CVE-2024-39915)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.