A slew of cross-site scripting (XSS) and SQL injection (SQLi) vulnerabilities that affect several network management system (NMS) products has been uncovered.
Security firm Rapid7 has released details on six flaws in products from vendors Spiceworks, Ispswitch, Castle Rock Computing and Opsview, some of which have already been patched, as can be seen in this real-time chart.
“NMSes present a valuable target for an internal attacker; by subverting these systems, and attackers can often pull an immense amount of valuable intelligence about the internal infrastructure,” explained Tod Beardsley, principal security research manager at Rapid7, in an email. “The fact that many of these protocols are delivered over SNMP is also very interesting; too often, designers of management software which is intended for internal use don't consider the insider threat.”
Opsview: A stored server cross-site scripting (XSS) vulnerability exists in the Opsview web application due to insufficient filtering of Simple Network Management Protocol (SNMP). The trap supplied data before the affected software stores and displays that data.
Spiceworks: The same stored XSS vulnerability also exists in the Spiceworks Desktop web application. In this case, an unauthenticated adversary that has access to a network segment scanned by the affected software could cause arbitrary code execution in an authenticated user's browser session, which could be leveraged to conduct further attacks. The code has access to the authenticated user's cookies and would be capable of performing actions in the web application as the authenticated user, allowing for a variety of attacks.
Ipswitch: While examining the WhatsUpgold product, it was discovered that it was vulnerable to a persistent XSS vulnerability as well. This vulnerability allows a malicious actor to inject persistence XSS containing JavaScript into a number of fields within the product. When this data (JavaScript) is viewed within the web management console the JavaScript code will execute within the context of the authenticated user. This will allow a malicious actor to conduct attacks which can be used to modify the systems configuration, compromise data, take control of the product or launch attacks against the authenticated user’s host system.
Examination of the WhatsUpgold product also revealed an SQL Injection vulnerability within the "UniqueID" parameter within the URL. This injection point requires authentication prior to exploit. Once authenticated, a malicious actor could extract all data from the database. Leveraging the open-source tool SQLMAP, this vulnerability was simple to exploit and extract data from the application's database, Rapid7 said.
CastleRock: While examining the Castle Rock product SNMPc Enterprise and its web-based reporting/monitoring tool SNMPc Online, it was discovered that SNMPc Online was vulnerable to a persistent XSS vulnerability. This vulnerability allows a malicious actor to inject persistence XSS containing JavaScript into a number of fields within the product. When this data (JavaScript) is viewed within the web console, the JavaScript code will execute within the context of the authenticated user. This will allow a malicious actor to conduct attacks which can be used to modify the systems configuration, compromise data, take control of the product or launch attacks against the authenticated user’s host system.
Examination of the SNMPc product also revealed an SQL Injection vulnerability within the "sc" parameter within the URL: And this injection point does require authentication to exploit. Leveraging the open-source tool SQLMAP, this vulnerability was simple to exploit and extract data from the application’s database.
“Through Rapid7's reasonable disclosure processes, most of these issues have been fixed by the time this disclosure went public,” Beardsley noted. “Spiceworks and Opsview were both particularly responsive, and had fixes in their users' hands well before the final public disclosure date, and Ipswitch has committed to a patch being made available today. It's always pleasantly refreshing to work closely with vendors that handle vulnerability remediation in a mature and responsible way.”
Update: Ipswitch has released its patch, and made this commment to media: “At Ipswitch, we take the security of our products very seriously. As soon as the vulnerability was detected, Ipswitch developed a fix which was released on December 16 and is now available to all customers through the customer portal.”
Photo © Tatiana Popova