Описание
LibreNMS has Weak Password Policy
Summary
A Weak Password Policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks.
Details
Vulnerable Component: User creation / password definition
The application fails to enforce a strong password policy when creating new users. As a result, administrators can define trivial and well-known weak passwords, compromising the authentication security of the system.
PoC
-
Log in to the application using an Administrator account.
-
Navigate to the user management section:
-
Create a new user account using the password
12345678.
- The application accepts the weak password without restrictions and creates the account successfully.
Impact
Weak password policy vulnerabilities can have severe consequences, including:
-
Increased risk of brute-force and credential stuffing attacks
-
Unauthorized access to user or administrative accounts
-
Privilege escalation through compromised credentials
-
Degradation of the overall security posture of the platform
Mitigation
-
Enforce a strong password policy (e.g., minimum of 12 characters with uppercase, lowercase, digits, and special characters).
-
Block the use of commonly known weak passwords (e.g.,
12345678,password,admin,qwerty).
Пакеты
librenms/librenms
< 25.11.0
25.11.0
Связанные уязвимости
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a weak password policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks. This issue has been patched in version 25.11.0.