Eleven critical vulnerabilities have been patched in network management systems (NMS) from four leading manufacturers: Cloudview, Netikus, Paessler and Opmantek. The flaws enable remote cross-site scripting and command-injection attacks.
Public disclosure of the vulnerabilities coincided with a technical description by Rapid7 released Wednesday; the research compliments earlier work on similar bugs found in 2015.
Each of the 11 vulnerabilities varied widely, however they shared the common technique allowing for the injection of malicious packets via Simple Network Management Protocol (SNMP) to gain control of NMS web console browser windows, said Tod Beardsley, principal security research manager at Rapid7 in a blog post.
SNMP is a protocol used by network management systems to manage and monitor networked devices. Compromising a network management system would allow an attacker to view network activity, network mapping and performance. Ultimately access would be a gateway to anything managed by the system and act as a springboard to access other systems on the network.
Rapid7’s Deral Heiland and independent security researcher Matthew Kienow are credited with finding the vulnerabilities.
“It often does not occur to product designers that a local network would have an untrusted, malicious actor lurking on it, one who is either waiting for an automated process to swing by and start communications or one who is actively seeking to attack core network services,” Beardsley wrote. “In the current era of the disintegration of network borders due to mobile and cloud computing, this is a dangerous assumption to make.”
Researchers found five vulnerabilities in vendor Cloudview’s NMS. Two versions of the software, it was discovered, were vulnerable to a persistent cross-site scripting (XSS) vulnerability over SNMP. “Due to a lack of input validation when processing SNMP trap messages, Cloudview NMS versions 2.07b and 2.09b are vulnerable to persistent XSS attacks,” Rapid7 wrote.
The additional two Cloudview vulnerabilities were related to the NMS and what is known as a format string vulnerability. In these instances, the vulnerability allows a malicious actor to inject format string specifiers into the product via the SNMP “sysDescr” field. “This could allow a malicious actor to trigger a denial-of-service condition, and possibly execute code,” Beardsley wrote.
The fifth Cloudview vulnerability was tied to “full file system access” on Windows 2008 server systems running the vendor’s NMS software. “During testing it was also discovered that access to file within the Windows file systems where accessible without proper authentication,” Beardsley wrote.
Cross-site scripting vulnerabilities were also found in Opmantek’s SNM three versions of the company’s software. More specifically researchers’ found Object Identifier’s (OID) “sysDescr”, “sysContact” and “sysLocation” vulnerable to persistent XSS attacks. All three of the XSS attack methods allow an unauthenticated adversary to inject malicious content into the user’s browser session, according to Beardsley.
Paessler also patched a XSS bug in its PRTG Network Monitor for LANs, VMs, servers, websites and appliances. The bug left open a vulnerability that allowed an attacker to modify the system configuration, compromise data, take control of the product or launch attacks against the authenticated user’s host system.
Netikus patched a XSS bug that did not require any prior authentication to exploit, according to researchers. The vulnerability was exploitable via Netikus’ EventSentry web management interface and allowed an attacker to modify the system configuration settings, compromise data, take control of the product or launch attacks against the authenticated user’s host system. “This vulnerability allows a malicious actor to inject persistent JavaScript and HTML code into various fields within EventSentry’s web management interface,” according to Beardsley.
The Netikus vulnerability can be exploited over a common attack vector of actively injecting XSS attacks over SNMP trap messages. SNMP trap messages are used by SNMP agents to notify the network manager of abnormal conditions or other status changes without waiting to be polled, researchers note. These trap alert messages are intended for NMS consoles. In the case of Netikus, “when the SNMP trap message information is viewed, the code will execute within the context of the authenticated user,” describes Beardsley.
Flaws found by Rapid7 and Kienow tied to Cloudview, Netikus, Paessler and Opmantek were disclosed to vendors between May 23 and June 1. All bugs were patched by June by vendors and were assigned CVEs.
“Cross-site scripting and format string vulnerabilities are hardly new attack vectors, but they are surprisingly effective avenues of attack against modern, enterprise-level Network Management Systems,” Beardsley said. “This is due to an inappropriately assumed and implied trust relationship between NMSs and the network entities the NMS is responsible for discovering and monitoring.”
He recommends network administrators filter, validate and authenticate user-supplied data before trusting it. “Most people don’t think of a switch or a router as a ‘user,’ so the oft-repeated secure software design principle of ‘Do not trust user input directly’ is less likely to come to mind when designing machine-to-machine interfaces,” he said.