Network Management System’s SQLi and XSS Vulnerabilities Explained

12月 16, 2015

In today’s Whiteboard Wednesday, Justin Pagano, Security Engineer at Rapid7 will talk about the six flaws that the Rapid7 research team and independent researchers have found across four network management system vendors.

Justin will explain what is affected by this vulnerability, he will discuss how the vulnerabilities can be exploited, and he will tell you how to defend against this attack.

Want to learn all the details around these vulnerabilities? Check out this blog post.

Video Transcript

Hi, my name's Justin Pagano. I'm a Security Engineer here at Rapid7, and for today's Whiteboard Wednesday, we're going to go over network management Web app exploits, specifically SQL injection and cross-site scripting.

Show more Show less

So over the past few months, Rapid7 have been working with SpiceWorks, Ipswitch, Castle Rock, and Opsview on some vulnerabilities researchers discovered in a few of their network management systems. Today we're publicly disclosing those vulnerabilities, and we're going to go into it in a little bit of more detail right now.

So out of these four vendors, there's certain versions of some of their network management systems that either have SQL injection in their Web app console, cross-site scripting, or both. And the interesting thing here is that the cross-site scripting vulnerability can be exploited through SNMP. So, in general, in sort of a worst case scenario, an attack would play out something like this. An attacker already gets on your network, they're inside your network, and they take control of an endpoint that is scanned by one of these network management systems. The attacker modifies a certain SNMP object identifier, such as sysName, and they modify it to include some Java scripting HTML. That gets passed to the network management system, so that when one of your admins logs into it, the cross-site scripting in the Web app console gets executed against your admin. And, let's say, the attacker wants to put up a malicious pop-up that asks for username and password, the admin gets tricked into entering those credentials, it gets sent back to the attacker, now the attacker logs back into the network management system to conduct a SQL injection attack, and potentially take over the underlying 'host ls' for that system.

So what's the risk here in specifics? We already went over the credentials being stolen, but those credentials can be used for more that just logging into the network management system in some cases. So if your network management system is tied to your active directory, then those credentials might be able to be used for other systems on your network. Also, that SQL injection attack, if an attacker is able to take control of the underlying 'host ls', they might be able to conduct more reconnaissance, and because they're using your network management system, they will have an easier time performing that reconnaissance. These network management systems are notoriously noisy among security teams, so chances are, any alerts they would otherwise trigger are being ignored by the security team. So how do you defend against something like this? This is kind of an odd attack scenario, where SNMP is being used in a Web application exploit.

First things first, when patches are made available for these vendors' tools, apply them. Then make sure you're being very particular about the endpoints you are scanning with your SNMP tools and keep those endpoints patched as well because if an attacker can compromise them, and then modify certain SNMP object identifiers, they can potentially carry out one of these attacks. Disable SNMP whenever you don't need to use it, and as basic security hygiene, just move away from older versions of SNMP whenever possible.

So that was sort of a general overview, we didn't go into too much detail, but we will have a webcast coming out sometime in January where we'll dive into this more deeply, and there should be some links below this video here that will take you to more detailed explanations about the specific vulnerability for a specific version of a specific product.

Thanks for joining, and we'll see you next week.

Free InsightVM Trial

Experience the value InsightVM can offer your unique environment with a 30-day free trial.

Get Started