Pandora FMS Reveals High-Risk Security Flaws Affecting 50,000+ Installations

The vulnerabilities, assigned CVEs 2024-35304 through 2024-35307, affect Pandora FMS versions 700 to 776 and have received high CVSS scores

Pandora FMS, the renowned open-source monitoring application with over 50,000 installations globally, has issued a critical security advisory highlighting multiple vulnerabilities in versions 700 through <777. The identified vulnerabilities pose significant risks, including system command injection, SQL injection, and remote code execution.

Pandora FMS, established in 2004, has grown to be a comprehensive monitoring solution, integrating the monitoring of various infrastructure elements such as networks, applications, servers, and more. Its ability to monitor specific data sources like logs, WMI, Netflow, and SNMP traps has made it a favorite among enterprises worldwide.

The vulnerabilities, assigned CVEs 2024-35304 through 2024-35307, affect Pandora FMS versions 700 to 776 and have received high CVSS scores, indicating their severity.

  • CVE-2024-35304 (CVSSv4 9.3): This vulnerability pertains to system command injection via the Netflow function. Due to improper input validation, attackers can exploit this flaw to execute arbitrary system commands. The severity of this issue underscores the critical need for immediate remediation to prevent potential exploitation.
  • CVE-2024-35305 (CVSSv4 8.9): An unauthenticated time-based SQL injection vulnerability in the API allows exploitation through the HTTP request Authorization header. This flaw can lead to unauthorized access and potential data breaches, emphasizing the importance of stringent input validation and secure coding practices.
  • CVE-2024-35306 (CVSSv4 8.7): This OS command injection vulnerability exists in the Ajax PHP files via HTTP requests. Attackers can exploit variables to execute system commands, posing a significant threat to the integrity and security of the affected systems.
  • CVE-2024-35307 (CVSSv4 9.4): The most critical of the identified vulnerabilities, this argument injection issue in the Realtime Graph Extension can lead to remote code execution. Unauthenticated attackers can exploit this flaw to execute arbitrary code on the server, potentially leading to complete system compromise.

Pandora FMS has released version 777, which addresses these vulnerabilities. Users are strongly advised to upgrade their installations immediately to protect themselves from potential attacks.