CVE-2024-39915 is a critical Remote Code Execution (RCE) vulnerability affecting Thruk, a web interface for monitoring systems like Naemon, Nagios, Icinga, and Shinken. An authenticated attacker can exploit this flaw to execute arbitrary commands on the server. This vulnerability impacts Thruk versions 3.15 and earlier, and a fix is available in version 3.16.
The impact of CVE-2024-39915 is severe due to the potential for complete system compromise. An attacker who can authenticate to the Thruk web interface can inject malicious commands through a URL parameter during PDF report generation. This allows them to execute arbitrary code with the privileges of the Thruk process, potentially gaining full control over the monitoring server. This could lead to data breaches, system disruption, and lateral movement within the network, as the monitoring server often has access to sensitive network information and credentials. The ability to execute arbitrary commands is akin to a shell takeover, granting the attacker a high degree of control.
CVE-2024-39915 was publicly disclosed on 2024-07-15. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. It is listed on the CISA KEV catalog, indicating a significant risk to federal executive branch agencies. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Organizations heavily reliant on Thruk for network monitoring are at significant risk. This includes those with legacy Thruk deployments, shared hosting environments where Thruk is installed, and those using custom reporting configurations that may not be adequately secured. Any environment where the Thruk web interface is accessible to unauthorized users is also vulnerable.
• linux / server:
journalctl -u thruk -f | grep -i "command injection"• linux / server:
ps aux | grep -i "/script/html2pdf.sh" && ps -ef | grep -i "/script/html2pdf.sh"• generic web:
curl -I <thruk_url>/script/html2pdf.sh?param=;id; | grep -i "HTTP/1.1 403"disclosure
漏洞利用状态
EPSS
0.21% (43% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-39915 is to immediately upgrade Thruk to version 3.16 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the reporting functionality to only authorized users and closely monitor the URL parameters used in report generation. Web Application Firewalls (WAFs) can be configured to detect and block suspicious URL patterns that attempt to inject commands. Review Thruk's configuration and ensure that the Livestatus API is properly secured. After upgrading, verify the fix by attempting to generate a PDF report with a malicious URL parameter; the command injection should be prevented.
将 Thruk 升级到 3.16 或更高版本。此版本修复了远程代码执行漏洞。没有已知的解决方法,因此升级是唯一的解决方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-39915 is a critical Remote Code Execution vulnerability in Thruk, a monitoring web interface, allowing authenticated attackers to execute commands via a URL parameter.
You are affected if you are using Thruk versions 3.15 or earlier. Upgrade to version 3.16 or later to mitigate the vulnerability.
The recommended fix is to upgrade Thruk to version 3.16 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting access and using a WAF.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target and likely to be exploited.
Refer to the official Thruk security advisory for detailed information and updates: [https://www.thruk.org/security/advisories/CVE-2024-39915](https://www.thruk.org/security/advisories/CVE-2024-39915)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。