As you may recall, back in December Rapid7 disclosed six vulnerabilities that affect four different Network Management System (NMS) products, discovered by Deral Heiland of Rapid7 and independent researcher Matthew Kienow. In March, Deral followed up with another pair of vulnerabilities for another NMS. Today, we're releasing a new disclosure that covers 11 issues across four vendors. As is our custom, these were all reported to vendors and CERT for coordinated disclosure.
While this disclosure covers a wide range of vulnerabilities discovered (and fixed), the theme of injecting malicious data via SNMP to ultimately gain control of NMS web console browser windows became overwhelming obvious, and deserving of a more in-depth look. To that end, today, Rapid7 would like to offer a complete research report on the subject. From Managed to Mangled: SNMP Exploits for Network Management Systems by Deral, Matthew, and yours truly is available for download here, and we'd love to hear your feedback on this technique in the comments below. We'll all be at DerbyCon as well, and since Matthew and Deral be presenting these findings on Saturday, September 24th, 2016, it will be a fine time to chat about this.
Incidentally, we're quite pleased that every one of these vendors have issued patches to address these issues well before our planned disclosure today. All acted reasonably and responsibly to ensure their customers and users are protected against this technique, and we're confident that going forward, NMSs will do a much better job of inspecting and sanitizing machine-supplied, as well as user-supplied, input.
With that, let's get on with the disclosing!
| Rapid7 Identifier | CVE Identifier | Class | Vendor | Patched |
|---|---|---|---|---|
| R7-2016-11.1 | CVE-2016-5073 | XSS | CloudView | Version 2.10a |
| R7-2016-11.2 | CVE-2016-5073 | XSS | Cloudview | Version 2.10a |
| R7-2016-11.3 | CVE-2016-5074 | Format String | Cloudview | Version 2.10a |
| R7-2016-11.4 | CVE-2016-5075 | XSS | Cloudview | Version 2.10a |
| R7-2016-11.5 | CVE-2016-5076 | DOA | Cloudview | Version 2.10a |
| R7-2016-12 | CVE-2016-5077 | XSS | Netikus | Version 3.2.1.44 |
| R7-2016-13 | CVE-2016-5078 | XSS | Paessler | Version 16.2.24.4045 |
| R7-2016-14.1 | CVE-2016-5642 | XSS | Opmantek | Versions 8.5.12G |
| R7-2016-14.2 | CVE-2016-5642 | XSS | Opmantek | Versions 8.5.12G, 4.3.7c |
| R7-2016-14.3 | CVE-2016-5642 | XSS | Opmantek | Versions 8.5.12G, 4.3.7c |
| R7-2016-14.4 | CVE-2016-6534 | Cmd Injection | Opmantek | Versions 8.5.12G, 4.3.7c |
R7-2016-11: Multiple Issues in CloudView NMS
CloudView NMS versions 2.07b and 2.09b is vulnerable to a persistent Cross Site Scripting (XSS) vulnerability over SNMP agent responses and SNMP trap messages, a format string vulnerability in processing SNMP agent responses, a format string vulnerability via telnet login, and an insecure direct object reference issue. These issues were resolved in version 2.10a, available from the vendor. None of these issues require any prior authentication to exploit.
These issues were discovered by Deral Heiland of Rapid7, Inc.
R7-2016-11.1: XSS via SNMP Agent Responses (CVE-2016-5073)
While examining the Network Management System (NMS) software Cloudview NMS, it was discovered to be vulnerable to a persistent Cross Site Scripting (XSS) vulnerability. This vulnerability allows a malicious actor to inject persistent JavaScript and HTML code into various fields within CloudView's web management interface. When this data (JavaScript) is viewed within the web console the code will execute within the context of the authenticated user. This will allow a malicious actor to conduct attacks which can be used to modify the systems configuration, compromise data, take control of the product or launch attacks against the authenticated users hosts system.
The first persistent XSS vulnerability is delivered via the network SNMP discovery process. If the network device that is discovered, during the discovery process, is configured with SNMP and the SNMP OID object sysDescr 1.3.6.1.2.1.1.1 contain HTML or JavaScript code within that field and the discovered device is imported into the database, then code will be delivered to the product for persistent display and execution.
The following example shows the results of discovering a network device where the SNMP sysDescr has been set to: