Covered by FixVibecritical

ZXCVFIKVIBESEG0. Tui'i 'o e fekau 'o e OS mahu'inga 'i he LibreNMS (CVE-2024-51092) ZXCVFIXVIBESEND ZXCVFIKVIBESEG1. 'Oku faingata'a'ia 'a e ngaahi liliu 'o e LibreNMS <= 24.9.1 ki he huhu 'o e fekau 'o e OS kuo fakamo'oni'i (CVE-2024-51092). ZXCVFIXVIBESEND ZXCVFIKVIBESEG2. 'Oku 'i ai ha ngaahi liliu 'o e LibreNMS 'o a'u ki he 24.9.1 ha vaivai'anga 'o e huhu'i 'o e fekau 'o e OS mahu'inga (CVE-2024-51092). 'E lava ke fakahoko 'e he kau 'ohofi fakamo'oni'i 'a e ngaahi fekau 'i he sisitemi talitali, 'e malava ke ne taki atu ki he fakalelei'i fakakatoa 'o e ngaahi langa fakalakalaka 'o e siofi. ZXCVFIXVIBESEND ZXCVFIKIVIBESEG3. ## Uesia ZXCVFIXVIBESEND ZXCVFIKVIBESEG4. LibreNMS ngaahi liliu 24.9.1 mo e kimu'a 'oku 'i ai ha vaivai'anga 'oku ne faka'ata 'a e kau faka'aonga'i 'oku fakamo'oni'i ke fakahoko 'a e OS fekau 'o e huhu CVE-2024-51092. 'Oku lava 'e he lavame'a 'o e faka'aonga'i 'o e fakahoko 'o e ngaahi fekau fakatu'upakee 'aki 'a e ngaahi monū'ia 'o e tokotaha 'oku ne ngaue'aki 'a e seva 'o e uepi ZXCVFIXVIBETOKEN1ZXCV. 'E lava ke taki 'eni ki he fakalelei'i kakato 'o e sisitemi, 'a e 'alunga ta'efakamafai'i ki he fakamatala 'o e siofi 'o e mahu'inga, mo e malava ke nga'unu lateral 'i loto 'i he ngaahi langa fakalakalaka 'o e netiueka 'oku pule'i 'e he LibreNMS ZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG5. ## Tupu'anga Tefito ZXCVFIXVIBESEND ZXCVFIKVIBESEG6. 'Oku aka 'a e vaivai 'i he neutralization ta'etotonu 'o e input 'oku 'omi 'e he tokotaha faka'aonga'i kimu'a pea toki fakakau ia ki ha fekau 'o e sisitemi ngaue CVE-2024-51092. 'Oku fakakalasi 'a e hala ko 'eni ko e ZXCVFIXVIBETOKEN3ZXCV ZXCVFIXVIBETOKEN1ZXCV. 'I he ngaahi liliu 'oku uesia, 'oku 'ikai lava 'e he ngaahi faka'osinga pau 'oku fakamo'oni'i ke fakamo'oni'i fe'unga pe sanitize 'a e ngaahi fakangatangata kimu'a pea toki paasi kinautolu ki he ngaahi ngaue 'o e fakahoko 'o e sisitemi-levolo ZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG7. ## Fakalelei'i ZXCVFIXVIBESEND ZXCVFIKIVIBESEG8. 'Oku totonu ke fakalelei'i 'e he kau faka'aonga'i 'enau fokotu'u LibreNMS ki he founga 24.10.0 pe kimui ange ke fakalelei'i 'a e palopalema ko 'eni CVE-2024-51092. Ko ha founga lelei taha 'o e malu'i fakalukufua, 'Oku totonu ke fakangatangata 'a e hū ki he LibreNMS fakapule'anga 'o e interface ki he ngaahi konga 'o e netiueka falala'anga 'o faka'aonga'i 'a e ngaahi 'ā afi pe ngaahi lisi 'o e pule'i 'o e hū (ACLs) ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG9. ## Founga 'oku sivi'i ai 'e he CVE-2024-51092 ki ai ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG10 'Oku fakakau 'eni 'i he taimi ni 'i he ngaahi sikani repo 'o e ZXCVFIXVIBETOKEN4ZXCV. 'Oku lau 'e he sieke 'a e ngaahi faile fakafalala 'o e fale tuku'anga koloa kuo fakamafai'i pe, kau ai 'a e CVE-2024-51092 mo e ZXCVFIXVIBETOKEN1ZXCV. 'Oku ne faka'ilonga'i 'a e ZXCVFIXVIBETOKEN2ZXCV 'a e ngaahi liliu 'oku loka'i pe ngaahi fakangatangata 'oku fe'unga mo e ngaahi liliu 'oku uesia ZXCVFIXVIBETOKEN3ZXCV, pea lipooti 'a e faile 'o e fakafalala, fika laine, ngaahi ID fale'i, ngaahi liliu 'oku uesia, mo e liliu tu'u ma'u. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG11 Ko ha static 'eni, lau-pe 'a e sieke repo. 'Oku 'ikai ke ne fakahoko 'a e code 'o e kasitomaa pea 'oku 'ikai ke ne 'ave 'a e exploit payloads.

LibreNMS versions up to 24.9.1 contain a critical OS command injection vulnerability (CVE-2024-51092). Authenticated attackers can execute arbitrary commands on the host system, potentially leading to total compromise of the monitoring infrastructure.

CVE-2024-51092GHSA-x645-6pf9-xwxwCWE-78

Impact

LibreNMS versions 24.9.1 and earlier contain a vulnerability that allows authenticated users to perform OS command injection [S2]. Successful exploitation enables the execution of arbitrary commands with the privileges of the web server user [S1]. This can lead to full system compromise, unauthorized access to sensitive monitoring data, and potential lateral movement within the network infrastructure managed by LibreNMS [S2].

Root Cause

The vulnerability is rooted in the improper neutralization of user-supplied input before it is incorporated into an operating system command [S1]. This flaw is classified as CWE-78 [S1]. In affected versions, specific authenticated endpoints fail to adequately validate or sanitize parameters before passing them to system-level execution functions [S2].

Remediation

Users should upgrade their LibreNMS installation to version 24.10.0 or later to resolve this issue [S2]. As a general security best practice, access to the LibreNMS administrative interface should be restricted to trusted network segments using firewalls or access control lists (ACLs) [S1].

How FixVibe tests for it

FixVibe now includes this in GitHub repo scans. The check reads authorized repository dependency files only, including composer.lock and composer.json. It flags librenms/librenms locked versions or constraints that match the affected range <=24.9.1, then reports the dependency file, line number, advisory IDs, affected range, and fixed version.

This is a static, read-only repo check. It does not execute customer code and does not send exploit payloads.