Network management vendors patch SQLi and XSS flaws

Rapid7 released four notifications on Wednesday, addressing six vulnerabilities in Network Management Systems offered by Opsview, Spiceworks, Ipswitch, and Castle Rock.

Network Management Systems, commonly used to track networked assets using protocols like SNMP (Simple Network Management Protocol), are an easy way to catalogue basic details about connected systems; admins use them to get hostnames, OS information, and more. SNMP was designed for this purpose specifically.
However, NMS products operate on a presumption that the assets on a local network are friendly. Such assumptions are a cardinal sin in security, because it leads to trusting user-supplied input, which is never a good idea.

Point in case, Deral Heilend of Rapid7 and Matthew Kienow of Inokii discovered Cross-Site Scripting (XSS) vulnerabilities, as well as SQL Injection (SQLi) vulnerabilities in products offered by the previously named vendors.

If these systems are not patched, an attacker could exploit these flaws and gain an invisible foothold on the network.

"NMSes, since they often contain data about the entire network, can be a highly valuable target for an internal attacker. Armed with an NMS, an attacker need not raise any alarms by port scanning or otherwise mapping the network on his own; he can instead use the normal functionality of the NMS to gather intelligence on the targeted network," commented Tod Beardsley, the security research manager at Rapid7.

"In some cases, these vulnerabilities can allow an attacker to gain control of the operating system of the server the NMS is hosted on," Beardsley added.

"This can present an additional upside for attackers, as NMSes are often well-known as "noisy" hosts that not only normally make many connections to workstations and servers across the enterprise, and therefore tend to be excepted from the normal monitoring and alerting controls that would otherwise flag suspicious behavior. Launching attacks from a compromised NMS that enjoys special treatment for day-to-day networking can provide an invaluable layer of cover for an attacker."
The following products need patching:

Ipswitch – WhatsUpGold

  • Versions 16.2.6 and 16.3.1 are vulnerable to persistent XSS and SQLi
  • A patch is scheduled for release later today

Castle Rock – SNMPc Enterprise / Online

  • Enterprise version 9 and Online version 12.1 are vulnerable to XSS and SQLi
  • No patch, vulnerability disclosed 60-days after initial disclosure to Castle Rock

Spiceworks – Desktop application

  • Versions 7.3.00065, 7.3.00076, 7.4.00075 are vulnerable to stored XSS
  • Spiceworks issued a fix on December 1

Note: Other versions may be affected

Opsview – Web application

  • Version 4.6.3 is vulnerable to stored XSS
  • Opsview issued a patch on November 6