A slew of vulnerabilities have been disclosed in Opsview Monitor (a proprietary IT monitoring software for networks and applications), which could enable remote code-execution, command-execution and local privilege-escalation.
A total of five flaws (CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144, and CVE-2018-16145) were discovered by Fernando Díaz and Fernando Catoira from Core Security Consulting Services,and disclosed Tuesday by SecureAuth + CoreSecurity and disclosed Tuesday. they affect Opsview Monitor versions 4.2, 5.3 and 5.4 and have been patched with versions 5.3.1, 5.4.2, and 6.0.
Other products and versions might be affected, but they were not tested, said researchers in an advisory. Opsview did not respond to further comment from Threatpost before publication.
According to Opsview’s website, its monitoring software helps DevOps understand how the performance of their hybrid IT infrastructure and apps impact their business services. Opsview Monitor also supports more than 3,500 plugins written by the Nagios open-source application.
In terms of the details, CVE-2018-16148 and CVE-2018-16147 are both cross-site scripting flaws that can be abused to execute malicious JavaScript code in the context of a legitimate user: The former exists in the “diagnosticsb2ksy” parameter of the ‘/rest’ endpoint in the software; and the latter is found in the “data” parameter of the ‘/settings/api/router’ endpoint.
“It’s important to point that this XSS is self-stored and it’s executed only in the context of the victim’s session,” the research team wrote. “However, this vulnerability can be exploited by an attacker to gain persistency and execute the malicious code each time the victim accesses to the settings section.”
Meanwhile, the glitches CVE-2018-16146 and CVE-2018-16144 could enable an attacker to execute commands on the system as a Nagios user.
The first flaw exists in the Opsview Web Management console and enables bad actors to abuse a notification function, which could lead to remote command execution. The Opsview Web Management console provides a feature allowing an authenticated administrator to test notifications that are triggered under certain configurable events. But, the “value” parameter is not properly sanitized, leading to an arbitrary command-injection executed on the system, with a Nagios user privileges, researchers said.
The second Nagios-related command-execution issue exists in NetAudit, a section within Network Analyzer that enables users to automatically back up network devices’ configuration files to a centralized location. Researchers said that the test connection functionality of the tool is open to command-injection due to an improper sanitization of the “rancid_password” parameter.
A final flaw, CVE-2018-16145, is a script-modification glitch that could allow local privilege-escalation. The vulnerable script (the ‘/etc/init.d/opsview-reporting-module’ script) exists in Opsview Monitor and enables a Nagios user (belonging to the ‘Opsview’ group) to edit the file ‘/opt/opsview/jasper/bin/db_jasper.’
“The issue found in one of the scripts run during the boot process… [and] would allow attackers to elevate their privileges from Nagios user to root after a system restart, hence obtaining full control of the appliance,” said researchers.
Core Security first notified Opsview of the flaws in May. The coordinated release date was Tuesday.