1. Introduction
The Pandora FMS Console Default Credentials vulnerability means the web application allows login using a pre-set username and password combination. This is a high severity issue as it lets an attacker gain full control of your Pandora FMS installation without needing valid user credentials. Systems running Pandora FMS are usually affected, particularly those with direct internet access or exposed on internal networks without sufficient protection. Successful exploitation could compromise confidentiality, integrity, and availability of the system and monitored infrastructure.
2. Technical Explanation
The vulnerability occurs because the Pandora FMS console ships with a default administrator account (admin / pandora) that is not changed during installation. An attacker can exploit this by simply attempting to log in using these credentials. No special privileges or prior knowledge of the system are required.
- Root cause: The application uses hardcoded, insecure default credentials for an administrative account.
- Exploit mechanism: An attacker attempts login with the username ‘admin’ and password ‘pandora’. If successful, they gain full administrative access to Pandora FMS. For example, an attacker could use a web browser or a tool like curl to submit a POST request to the login endpoint with these credentials.
- Scope: All versions of Pandora FMS are potentially affected if the default credentials have not been changed.
3. Detection and Assessment
You can check for this vulnerability by attempting to log in using the default credentials. A thorough assessment involves reviewing the application configuration files for any evidence of unchanged default settings.
- Quick checks: Attempt to login via the web interface with username ‘admin’ and password ‘pandora’.
- Scanning: Nessus plugin ID 16389 may detect this vulnerability, but results should be verified manually.
- Logs and evidence: Check Pandora FMS logs for successful logins from the default account. The log location varies depending on installation method; consult the official documentation.
curl -u admin:pandora http://your_pandora_fms_ip/admin/login4. Solution / Remediation Steps
To fix this issue, you must change the default password for the administrator account to a strong, unique value. Follow these steps carefully to avoid disrupting service.
4.1 Preparation
- Ensure you have access to the web interface with administrative privileges (even if using default credentials). A roll back plan involves restoring from backup if the new password is forgotten or causes issues.
- A change window should be planned during off-peak hours, and approval may be needed by system owners.
4.2 Implementation
- Step 1: Log in to the Pandora FMS web interface using the default credentials (admin / pandora).
- Step 2: Navigate to ‘Administration’ > ‘Users’.
- Step 3: Locate the ‘admin’ user account.
- Step 4: Edit the ‘Password’ field and set a strong, unique password.
- Step 5: Save the changes.
4.3 Config or Code Example
Before
No direct configuration file modification is required; the password is changed via the web interface. However, if using an external authentication source (e.g., LDAP), verify that the 'admin' user has a strong password set there too.After
The 'Password' field for the 'admin' user in the Pandora FMS web interface will show a masked value representing the new, strong password you have configured.4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this type of issue. These include using strong passwords and regularly reviewing default configurations.
- Practice 1: Least privilege – limit the permissions granted to administrative accounts, reducing the impact if compromised.
- Practice 2: Secure defaults – avoid shipping products with weak or easily guessable default credentials.
4.5 Automation (Optional)
Automation is not typically suitable for this vulnerability due to the need for interactive password changes via the web interface. However, if using a configuration management tool and an API is available, it may be possible to script the password change.
# Example only - requires Pandora FMS API access (not standard)
# This is illustrative and will require adaptation based on your environment.
# api_call --url https://your_pandora_fms_ip/api/users/admin --method PUT --data '{"password":"YourStrongPassword"}'5. Verification / Validation
- Post-fix check: Attempt to login via the web interface with username ‘admin’ and the *old* password ‘pandora’. The login should fail.
- Re-test: Repeat the quick check from Section 3, attempting to log in with the default credentials. It should now be unsuccessful.
- Smoke test: Verify that you can still log in using the new administrator password and access key Pandora FMS features (e.g., view system status, add a device).
- Monitoring: Check Pandora FMS logs for failed login attempts with the default username. A high number of failures may indicate ongoing attacks.
Attempt to log in via the web interface with username 'admin' and password 'pandora'. Expected output: "Invalid credentials" or similar error message.6. Preventive Measures and Monitoring
Regular security assessments and policy enforcement can help prevent this vulnerability. For example, include a check for default credentials in your system hardening baseline.
- Pipelines: Consider adding checks to your CI/CD pipeline to scan configuration files for hardcoded credentials, although this is less effective for web application settings.
- Asset and patch process: Implement a regular review cycle for system configurations to identify and remediate any security weaknesses.
7. Risks, Side Effects, and Roll Back
Changing the password could temporarily disrupt service if the new password is forgotten or incorrectly entered. Always have a backup plan in place.
- Risk or side effect 1: Forgetting the new password can lock you out of the system. Mitigation: Document the new password securely and consider using a password manager.
- Risk or side effect 2: Incorrectly entering the new password multiple times may trigger account lockout policies. Mitigation: Be careful when typing the new password and ensure it meets complexity requirements.
- Roll back: Restore from your database and configuration backup if you are unable to log in with any credentials.
8. References and Resources
- Vendor advisory or bulletin: Pandora FMS Knowledge Base – Default Credentials
- NVD or CVE entry: No specific CVE is assigned, but this vulnerability is widely known and documented in security advisories.
- Product or platform documentation relevant to the fix: Pandora FMS Knowledge Base – User Management