Rapid7 disclosed six vulnerabilities affecting four Network Management Systems, two of which are not patched. The vendors are Opsview, Spiceworks, Ipswitch, and Castle Rock, with the latter having neither issued a security bulletin nor a fix for two vulnerabilities in its NMS.
An “an array of cross-site scripting (XSS) and SQL injection (SQLi)” vulnerabilities found in NMS products were discovered by Rapid7’s Deral Heiland, aka Percent_X, and independent researcher Matthew Kienow, aka HacksForProfit. The flaws were responsibly disclosed to the vendors and CERT.
Tod Beardsley, Principal Security Research Manager at Rapid7, said in an email:
NMSes present a valuable target for an internal attacker; by subverting these systems, an attacker can often pull an immense amount of valuable intelligence about the internal infrastructure. The fact that many of these protocols are delivered over SNMP [Simple Network Management Protocol] is also very interesting; too often, designers of management software which is intended for internal use don't consider the insider threat.
Network Management System (NMS) products help IT monitor individual components within a computer network for problems. CSO’s Steve Ragan explained, “NMS products operate on a presumption that the assets on a local network are friendly. Such assumptions are a cardinal sin in security, because it leads to trusting user-supplied input, which is never a good idea.”
Opsview Stored and Reflected XSS via SNMP
Let’s start with Opsview as it was the vendor with the best response time, having been notified about the stored and reflected XSS via SNMP (CVE-2015-6035) on Sept. 29 and then releasing a patch on Nov. 6. Rapid7 noted that the XSS strings could be “injected into the Opsview web application via both SNMP traps and the SNMP agent.” Mitigations are to update to the latest version as Opsview released a fix for both versions 4.5.4 and 4.6.4.
Spiceworks Desktop Stored XSS via SNMP (CVE-2015-6021)
Spiceworks Desktop web app had a stored server XSS vulnerability. Rapid7 explained, “An unauthenticated adversary that has access to a network segment scanned by the affected software could cause arbitrary code execution in an authenticated user's browser session, which could be leveraged to conduct further attacks. The code has access the authenticated user's cookies and would be capable of performing actions in the web application as the authenticated user, allowing for a variety of attacks.”
Desktop versions 7.3.00065, 7.3.00076 and 7.4.00075 were tested and successfully exploited, although earlier versions might also be vulnerable. The vendor was notified on Sept. 1 and disclosed to CERT on Sept. 17; Spiceworks released a bulletin and a fix on Dec. 1.
Beardsley praised Spiceworks and Opsview for being “particularly responsive” as they “had fixes in their users' hands well before the final public disclosure date. It's always pleasantly refreshing to work closely with vendors that handle vulnerability remediation in a mature and responsible way.”
XSS and SQLi via SNMP in Ipswitch's WhatsUpGold
The researchers found Ipswitch’s WhatsUpgold was vulnerable to persistent XSS (CVE-2015-6005) as well as SQLi (CVE-2015-6004). If an attacker were to exploit the XSS flaw, he or she could “conduct attacks which can be used to modify the systems configuration, compromise data, take control of the product or launch attacks against the authenticated users' hosts system.” Although the XSS issues do not require prior authentication, the SQLi issue does.
WhatsUpGold Versions 16.3.1 and 16.2.6 were tested and successfully exploited, although earlier versions may also be vulnerable. Rapid7 noted that Ipswitch plans on releasing a patch today.
XSS and SQLi in Castle Rock’s SNMPc Enterprise and SNMPc Online
Although the XSS and SQLi vulnerabilities in SNMPc Enterprise and the web-based reporting/monitoring tool SNMPc Online were disclosed to vendor Castle Rock Computing 60 days ago, the company did not prepare a patch. According to the Rapid7 blog, “The XSS issues do not require any prior authentication, while the SQLi issue does require authentication as a regularly privileged user.”
As for the SQL injection vulnerability (CVE-2015-6028) in Castle Rock’s SNMPc, Rapid7 said, “This injection point does require authentication to exploit. Leveraging the open source tool SQLMAP this vulnerability was simple to exploit and extract data from the applications database.”
Mitigations options are limited since the vendor chose not to issue fixes. Rapid7 advised, “In the absence of patches, customers should carefully control which devices and subnets are scanned for using SNMPc. In addition, login rights to the control console should be limited to only those users trusted with local administrator privileges on the host.”
Incidentally, while we are mentioning Rapid7, Docker recently recognized Rapid7 as an “approved ecosystem technology partner.”