A compromised network management system (NMS) can serve as a treasure map, leading cyber-attackers to the most valuable—and perhaps non-obvious—targets, such as the printer that is responsible for payroll runs, or HR's central server containing personally identifiable information on the employee base.
Unfortunately, several vulnerabilities have been discovered that allow bad actors to attack NMS over the Simple Network Management Protocol (SNMP), which is a protocol used extensively by NMS to manage and monitor a wide variety of networked devices.
NMSs, because they are software (and occasionally, hardware) systems designed to discover and monitor network entities, including both endpoint machines such as servers, desktops and printers, as well as core network infrastructure components like switches, routers and security hardware, are ideal targets for attackers looking to learn more about new environments.
“They are a critical part of any enterprise network’s asset management system, and they collect and maintain near real-time data about the monitored network components,” explained Rapid7 researchers, in a white paper. “They are usually accessed and maintained by an IT staff with exceptional access privileges on the monitored network.”
The easiest, cheapest method to attack them seems to be delivering persistent XSS via SNMP data fields to a web-based management console. Virtually all modern NMSs are managed using web-based interfaces; most NMSs track and manage networked systems via SNMP by default; most can be configured to receive SNMP traps from networked systems; and NMSs are likely to initially trust the data received from new devices on the network.
According to Rapid7, there are 11 issues across four vendors to be concerned about in this latest disclosure. All have been reported to vendors and CERT, and all have patches available.
Several of the flaws were found in CloudView NMS versions 2.07b and 2.09b. Both are vulnerable to a persistent cross site scripting (XSS) vulnerability over SNMP agent responses and SNMP trap messages; a format string vulnerability in processing SNMP agent responses; a format string vulnerability via telnet login; and an insecure direct object reference issue. None of them require any prior authentication to exploit.
Netikus EventSentry NMS versions 3.2.1.8, 3.2.1.22 and 3.2.1.30 are also vulnerable to a persistent XSS vulnerability that requires no prior authentication to exploit. The vulnerability allows a malicious actor to inject persistent JavaScript and HTML code into various fields within EventSentry's web management interface to allow a malicious actor to conduct attacks which can be used to modify the systems configuration, compromise data, take control of the product or launch attacks against the authenticated user's host system. The same kind of issue was found in Paessler PRTG NMS version 16.2.24.379.
And finally, Opmantek NMIS NMS versions 8.5.10G and 4.3.6f are vulnerable to a persistent XSS vulnerability over SNMP agent responses and SNMP trap messages; a reflected XSS vulnerability over SNMP agent responses; and a command injection vulnerability.
All three of the XSS attack methods allow an unauthenticated adversary to inject malicious content into the user’s browser session. This could cause arbitrary code execution in an authenticated user's browser session and may be leveraged to conduct further offensives. The code has access to the authenticated user's cookies and would be capable of performing privileged operations in the web application as the authenticated user, allowing for a variety of attacks.
“All [affected vendors] acted reasonably and responsibly to ensure their customers and users are protected against this technique, and we're confident that going forward, NMSs will do a much better job of inspecting and sanitizing machine-supplied, as well as user-supplied, input,” the researchers said.
Photo © Atiketta Sangasaeng