Summary
An authenticated attacker can create dangerous directory names on the system and alter sensitive configuration parameters through the web portal. Those two defects combined then allows to inject arbitrary OS commands inside shell_exec() calls, thus achieving arbitrary code execution.
Details
OS Command Injection
We start by inspecting the file app/Http/Controllers/AboutController.php, more particularly the index() method which is executed upon simply visiting the /about page:
public function index(Request $request)
{
$version = Version::get();
return view('about.index', [
<TRUNCATED>
'version_webserver' => $request->server('SERVER_SOFTWARE'),
'version_rrdtool' => Rrd::version(),
'version_netsnmp' => str_replace('version: ', '', rtrim(shell_exec(Config::get('snmpget', 'snmpget') . ' -V 2>&1'))),
<TRUNCATED>
]);
}
We can see that the version_netsnmp key receives a value direclty dependent of a shell_exec() call. The argument to this call reflects a configuration parameter with no sanitization. Should an attacker identify a way to alter this parameter, the server is at risk of being compromised.
Configuration parameters poisoning
We now focus on the update() method of the SettingsController.php script. This method is called when the user visits the route /settings/{key} via HTTP PUT. The key parameter here is simply the name of the configuration key the user wishes to modify.
public function update(DynamicConfig $config, Request $request, $id)
{
$value = $request->get('value');
if (! $config->isValidSetting($id)) {
return $this->jsonResponse($id, ':id is not a valid setting', null, 400);
}
$current = \LibreNMS\Config::get($id);
$config_item = $config->get($id);
if (! $config_item->checkValue($value)) {
return $this->jsonResponse($id, $config_item->getValidationMessage($value), $current, 400);
}
if (\LibreNMS\Config::persist($id, $value)) {
return $this->jsonResponse($id, "Successfully set $id", $value);
}
return $this->jsonResponse($id, 'Failed to update :id', $current, 400);
}
We can see that some protections are implemented around the configuration parameters by $config_item->checkValue($value), with a format of data being expected depending on the data type of the variable the user wants to modify.
Specifically, the snmpget configuration variable expects a valid path to an existing binary on the system.
To summarize : if an attacker finds a valid full-path to a system binary, while that full-path also holds shell metacharacters, then those characters would be interpreted by the shell_exec() call defined above and allow for arbitrary command execution.
Arbitrary directory creation
When creating a new Device through the "Add Device" page, the server allows the user to send malformed or impossible hostnames and force the data to be stored, with no sanitization being performed on this field.
In the file app/Jobs/PollDevice.php, the initRrdDirectory() method is responsible for creating a directory named after the Device's hostname. We can see the mkdir() call inside the try block:
private function initRrdDirectory(): void
{
$host_rrd = \Rrd::name($this->device->hostname, '', '');
if (Config::get('rrd.enable', true) && ! is_dir($host_rrd)) {
try {
mkdir($host_rrd);
Log::info("Created directory : $host_rrd");
} catch (\ErrorException $e) {
Eventlog::log("Failed to create rrd directory: $host_rrd", $this->device);
Log::info($e);
}
}
}
This method is called by initDevice(), which is itself called by the handle() method (executed when the job starts).\Rrd::name() simply concatenates a string following the format <LIBRENMS_INSTALL_DIR>/rrd/<DEVICE_HOSTNAME>.
With all this, an authenticated attacker can:
- Create a malicious Device with shell metacharacters inside its hostname
- Force the creation of directory containing shell metacharacters through the PollDevice job
- Modify the
snmpgetconfiguration variable to point to a valid system binary, while also using the directory created in the previous step via a path traversal (i.e:/path/to/install/dir/rrd/<DEVICE_HOSTNAME>/../../../../../../../bin/ls) - Trigger a code execution via the
shell_exec()call contained in theAboutController.phpscript
PoC
For proof of concept, we will create a file located at /tmp/rce-proof on the server's filesystem.
Consider the following command : /usr/bin/touch /tmp/rce-proof, encoded in base64 (L3Vzci9iaW4vdG91Y2ggL3RtcC9yY2UtcHJvb2Y=). This encoding is necesary whenever the command contains '/' characters, as this would otherwise generate invalid directory paths.
Create a new Device with a name that contains the command you wish to execute enclosed in semi-colons, ending with a '3' character:
Be careful to tick the "Force Add" option, otherwise the request will be rejected. Click add:
A directory matching the hostname of the Device will be created whenever a PollDevice job is launched. For the purpose of the demonstration, we will be triggering this manually with artisan:
We can confirm that this directory indeed exists on the system:
We can now update the snmpget parameter value to point to any binary on the system, making sure that the specified path includes the directory that was just created:
Visiting the /about page will trigger the payload, then we can check that our code was indeed executed:
Impact
Server takeover
Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.
CVE-2024-51092 has a CVSS score of 9.1 (Critical). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (24.10.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2024-51092? CVE-2024-51092 is a critical-severity OS command injection vulnerability in librenms/librenms (composer), affecting versions <= 24.9.1. It is fixed in 24.10.0. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
- How severe is CVE-2024-51092? CVE-2024-51092 has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of librenms/librenms are affected by CVE-2024-51092? librenms/librenms (composer) versions <= 24.9.1 is affected.
- Is there a fix for CVE-2024-51092? Yes. CVE-2024-51092 is fixed in 24.10.0. Upgrade to this version or later.
- Is CVE-2024-51092 exploitable, and should I be worried? Whether CVE-2024-51092 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-51092 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-51092? Upgrade
librenms/librenmsto 24.10.0 or later.