Critical Flaws Found in Network Management Systems

Rapid7 has reported and disclosed a half-dozen XSS and SQL injection flaws in popular network management systems, all of which can be reached via SNMP.

Update Four leading network management system providers are busying patching and preparing fixes for a half-dozen critical cross-site scripting and SQL injection vulnerabilities disclosed Wednesday by Rapid7.

Two Three of the affected vendors, Spiceworks, Ipswitch and Opsview, have already patched their respective products, while Castle Rock Computing has yet to set a timeline for the availability of patches.

These management planes provide enterprises with a view into network activity and performance, and hackers with an attractive attack vector. Access to a management plane such as these, for example, would be invaluable in mapping a network, looking for pivot points to other systems and identifying existing vulnerabilities in anything managed by the system.

“The fact that many of these protocols are delivered over SNMP is also very interesting; too often, designers of management software, which is intended for internal, use don’t consider the insider threat,” said Tod Beardsley, principal security research manager at Rapid7. Rapid7’s Deral Heiland and indepdenent security researcher Matthew Kienow are credited with finding the vulnerabilities.

SNMP is the simple network management protocol and is the protocol over which most network management systems communicate configuration changes and other commands to devices such as routers, servers, workstations and more.

Opsview was the first to patch, releasing a fix on Nov. 6 for stored and reflected XSS vulnerabilities on the Opsview web application server and client respectively affecting version 4.6.3. Exploits via SNMP traps and the SNMP agent could lead to code injection and execution in the victim’s browser; an authenticated browser session could lead to further attacks, Rapid7 said.

Spiceworks also patched a stored server XSS bug in the web application component of Spiceworks Desktop via SNMP, affecting versions 7.3.00065, 7.3.00076 and 7.4.00075. Attackers may exploit his vulnerability without authentication; this vulnerability was patched Dec. 1.

Ipswitch, meanwhile, on Wednesday patched persistent XSS and SQL injection flaws in its WhatsUpGold network management system. Attackers would require authentication to exploit the SQL injection bug, while the cross-site scripting vulnerability can be attacked without it. Versions 16.2.6 and 16.3.1 are affected, Rapid7 said.

In exploiting the persistent XSS bug, an attacker would be able to inject JavaScript into a number of fields, which when viewed by WhatsUpGold, will executed under the privileges of the user and allow an attacker to modify settings, steal data or attack the host if configured with SNMP.

The SQL injection bug, if the attacker is authenticated, could allow an attacker to steal from a database using tools such as SQLMAP.

Castle Rock Computing’s SNMPc Enterprise 9 and a web-based reporting and monitoring tool called SNMPc OnLine 12.1 is vulnerable to a persistent cross-site scripting vulnerability that can be exploited without authentication. Again, as with the Ipswitch XSS bug, an attacker could inject JavaScript into fields and once the NMS product views those fields, the code executes.

These flaws were discovered Sept. 14 and disclosed to the DHS-sponsored CERT at Carnegie Mellon University, and have yet to be addressed by the vendor.

This article was updated to include clarifications regarding Ipswitch’s patches released Dec. 16.

Suggested articles