Fix memcached unserialize vulnerability (#14459)

Allows code injection, so remove it entirely. This requires a memcached application script to restore functionality. librenms/librenms-agent#428
librenms · Oct 16, 2022 · ae3925b · ae3925b
1 parent 8e85698
commit ae3925b
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 11 deletions.
diff --git a/doc/Extensions/Applications.md b/doc/Extensions/Applications.md
@@ -909,10 +909,10 @@ pass .1.3.6.1.4.1.3582 /usr/sbin/lsi_mrdsnmpmain
 ### SNMP Extend
 
 1. Copy the [memcached
-   script](https://github.com/librenms/librenms-agent/blob/master/agent-local/memcached)
+   script](https://github.com/librenms/librenms-agent/blob/master/snmp/memcached)
    to `/etc/snmp/` on your remote server.
 ```
-wget https://raw.githubusercontent.com/librenms/librenms-agent/master/agent-local/memcached -O /etc/snmp/memcached
+wget https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/memcached -O /etc/snmp/memcached
 ```
 
 2. Make the script executable:

diff --git a/includes/polling/applications/memcached.inc.php b/includes/polling/applications/memcached.inc.php
@@ -1,20 +1,25 @@
 <?php
 
+use LibreNMS\Exceptions\JsonAppException;
 use LibreNMS\RRD\RrdDefinition;
 
 $name = 'memcached';
 
 if (! empty($agent_data['app']['memcached'])) {
-    $data = $agent_data['app']['memcached'][$app['app_instance']];
+    $data = $agent_data['app']['memcached'];
 } else {
-    $oid = '.1.3.6.1.4.1.8072.1.3.2.3.1.2.9.109.101.109.99.97.99.104.101.100';
-    $result = snmp_get($device, $oid, '-Oqv');
-    $data = trim($result, '"');
-    $data = unserialize(stripslashes(str_replace("<<<app-memcached>>>\n", '', $data)));
-    $data = reset($data);
-}
+    try {
+        $data = json_app_get($device, $name, '1.1')['data'];
+        $data = $data['data'][$app->app_instance] ?? reset($data['data']);
+    } catch (JsonAppException $e) {
+        echo PHP_EOL . $name . ':' . $e->getCode() . ':' . $e->getMessage() . PHP_EOL;
+        update_application($app, $e->getCode() . ':' . $e->getMessage(), []); // Set empty metrics and error message
 
-echo ' memcached(' . $app['app_instance'] . ')';
+        return;
+    }
+}
+echo ' memcached(' . $app->app_instance . ')';
+$data = $data[$app->app_instance] ?? reset($data);  // specified instance or just the first one
 
 $rrd_name = ['app', $name, $app->app_id];
 $rrd_def = RrdDefinition::make()

diff --git a/includes/polling/unix-agent.inc.php b/includes/polling/unix-agent.inc.php
@@ -159,7 +159,7 @@
 
         // memcached
         if (! empty($agent_data['app']['memcached'])) {
-            $agent_data['app']['memcached'] = unserialize($agent_data['app']['memcached']);
+            $agent_data['app']['memcached'] = json_decode($agent_data['app']['memcached'], true);
             foreach ($agent_data['app']['memcached'] as $memcached_host => $memcached_data) {
                 if (dbFetchCell('SELECT COUNT(*) FROM `applications` WHERE `device_id` = ? AND `app_type` = ? AND `app_instance` = ?', [$device['device_id'], 'memcached', $memcached_host]) == '0') {
                     echo "Found new application 'Memcached' $memcached_host\n";

diff --git a/misc/notifications.rss b/misc/notifications.rss
@@ -88,5 +88,10 @@
     <description>Adsl statistics are now discovered and polled in a new module. Vdsl stats were also added. `lnms config:set enable_ports_adsl true`is not supported anymore. See https://github.com/librenms/librenms/pull/14207 for more information.</description>
     <pubDate>Wed, 7 Sept 2022 18:00:00 +0000</pubDate>
   </item>
+  <item>
+    <title>Memcached application compatibility break</title>
+    <description>Due to a security vulnerability, you must upgrade your memcached application scripts to the latest version. (1.1)</description>
+    <pubDate>Fri, 10 Oct 2022 18:00:00 +0000</pubDate>
+  </item>
 </channel>
 </rss>