CVE-2021-32099 Overview
CVE-2021-32099 is a SQL injection vulnerability affecting the pandora_console component of Artica Pandora FMS version 742. This vulnerability exists in the /include/chart_generator.php endpoint, where the session_id parameter is not properly sanitized before being used in SQL queries. An unauthenticated attacker can exploit this flaw to manipulate session data, effectively upgrading an unprivileged session to an authenticated one, resulting in a complete authentication bypass.
Critical Impact
This vulnerability allows unauthenticated remote attackers to bypass authentication controls entirely and gain unauthorized access to the Pandora FMS console, potentially leading to full system compromise.
Affected Products
- Artica Pandora FMS version 742
- pandora_console component with vulnerable chart_generator.php
- Systems running unpatched Pandora FMS network monitoring instances
Discovery Timeline
- 2021-05-07 - CVE-2021-32099 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-32099
Vulnerability Analysis
This SQL injection vulnerability stems from insufficient input validation in the Pandora FMS web console. The chart_generator.php file accepts a session_id parameter that is directly incorporated into database queries without proper sanitization or parameterized query implementation. Because this endpoint is accessible without authentication, attackers can craft malicious SQL payloads to manipulate the session management logic.
The attack enables session hijacking by allowing attackers to inject SQL statements that modify or create session records in the database, effectively associating their browser session with an authenticated administrator account.
Root Cause
The root cause is a classic SQL injection vulnerability (CWE-89) where user-supplied input is concatenated directly into SQL query strings. The session_id parameter in chart_generator.php lacks proper input sanitization, allowing attackers to inject arbitrary SQL commands. This vulnerability is compounded by the endpoint being accessible to unauthenticated users, making it an ideal target for exploitation.
Attack Vector
The attack is executed remotely over the network without requiring any user interaction or prior authentication. An attacker sends a crafted HTTP request to the /include/chart_generator.php endpoint with a malicious session_id parameter containing SQL injection payloads. The injected SQL statements can manipulate the session table to associate the attacker's session with administrator-level privileges, completely bypassing the login mechanism.
The vulnerability allows for blind SQL injection techniques, enabling attackers to extract sensitive data from the database or modify session records to escalate privileges. Once authenticated as an administrator, attackers can leverage additional functionality within Pandora FMS to achieve remote code execution on the underlying server.
For detailed technical analysis, refer to the SonarSource vulnerability explanation and PortSwigger's coverage.
Detection Methods for CVE-2021-32099
Indicators of Compromise
- HTTP requests to /include/chart_generator.php containing suspicious SQL syntax in the session_id parameter
- Unusual session creation or modification patterns in database logs
- Authentication events for administrative accounts without corresponding login page access
- Abnormal query patterns in database audit logs showing injection attempts
Detection Strategies
- Implement web application firewall (WAF) rules to detect SQL injection patterns in requests to Pandora FMS endpoints
- Monitor HTTP access logs for requests containing SQL keywords (UNION, SELECT, INSERT, UPDATE) in URL parameters
- Deploy SentinelOne Singularity Platform to detect post-exploitation activity following authentication bypass
- Review database query logs for anomalous session table modifications
Monitoring Recommendations
- Enable detailed access logging for the Pandora FMS web console
- Configure alerts for multiple failed authentication attempts followed by successful access without valid credentials
- Monitor for unauthorized administrative actions following suspicious session activity
- Implement network traffic analysis to detect exploitation attempts targeting known vulnerable endpoints
How to Mitigate CVE-2021-32099
Immediate Actions Required
- Upgrade Artica Pandora FMS to version 743 or later immediately
- If immediate patching is not possible, restrict network access to the Pandora FMS console to trusted networks only
- Review access logs for indicators of prior exploitation
- Audit administrative accounts and session data for signs of compromise
Patch Information
Artica has addressed this vulnerability in Pandora FMS version 743. Organizations should upgrade to this version or later to remediate the SQL injection vulnerability. The patch implements proper input validation and parameterized queries for the affected endpoint. For update details, see the Pandora FMS 743 release notes.
Workarounds
- Implement network-level access controls to restrict access to /include/chart_generator.php from untrusted sources
- Deploy a web application firewall with SQL injection detection rules in front of the Pandora FMS console
- Consider temporarily disabling the chart generation functionality if not critical to operations
- Use reverse proxy rules to block requests containing suspicious patterns in the session_id parameter
# Example: Restrict access to chart_generator.php via Apache configuration
<Location "/include/chart_generator.php">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
