CISA Added GLPI Command Injection Vulnerability to its KEV Catalog (CVE-2022-35914)

GLPI, an open-source IT Asset Management software, is vulnerable to a command injection flaw that could lead to remote code execution on successful exploitation. The critical severity vulnerability is tracked as CVE-2022-35914 and has a CVSSv3 score of 9.8. GLPI patched the vulnerability on September 14, 2022. The advisory states, “CVE-2022-35914 has been massively exploited since October 3, 2022, to execute code on insecure servers, available on the internet, hosting GLPI.” 
 
CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog urging users to patch it as soon as possible. 
 
GLPI is a leading Service Management solution that offers Helpdesk, CMDB, Asset Management, and Project Management on one platform. GLPI provides network cloud and on-premises support. The tool helps track expenses, contracts, and suppliers, create new inventory objects, manage user databases, and make reports.

Description

A critical Remote Code Execution security flaw exists in the third-party library Htmlawed in the Teclib GLPI. Threat actors can use this vulnerability to run arbitrary code on a target device without needing authentication by executing code on vulnerable servers accessible over the internet and host GLPI. 

Affected Versions

GLPI through 10.0.2 are affected by this command injection vulnerability. 
 
Note: GLPI Network Cloud instances are unaffected by this vulnerability. 

Mitigation

To patch the vulnerability, customers must upgrade to GLPI 10.0.3. 
 
Please refer to the GLPI 10.0.3 Release Notes for more information. 

Workaround

GLPI has provided the following workaround for the vulnerability:

  • Delete the vendor/htmlawed/htmlawed/htmLawedTest.php file. The htmLawed.php file is legitimate; therefore, no change is required. 
  • Prevent web access to the vendor/ folder.
Qualys Detection

Qualys customers can scan their devices with QID 730749 to detect vulnerable assets. This QID checks for vulnerable GLPI instances by sending a crafted payload containing commands such as ‘id‘ and ‘cat /etc/passwd‘ to /vendor/htmlawed/htmlawed/htmLawedTest.php endpoint as a POST request and checks for code execution in the response. 
  
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.  
  
References 
https://glpi-project.org/fr/glpi-10-0-3-disponible/  
https://glpi-project.org/security-update-10-0-3-and-9-5-9/

Leave a Reply

Your email address will not be published. Required fields are marked *