Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Multiple Vulnerabilities Addressed in Opsview Monitor

Opsview recently addressed a series of remote code-execution, command-execution and local privilege-escalation vulnerabilities in the Opsview Monitor.

Opsview recently addressed a series of remote code-execution, command-execution and local privilege-escalation vulnerabilities in the Opsview Monitor.

A proprietary monitoring application for networks and applications, Opsview Monitor “helps DevOps teams deliver smarter business services by providing unified insight into their dynamic IT operations whether on-premises, in the cloud, or hybrid,” the company says.

The software is impacted by five vulnerabilities that could provide attackers with the ability to access the management console and execute commands on the operating system.

Discovered by Core Security researchers earlier this year, the bugs were confirmed to impact all supported versions of Opsview Monitor (5.4, 5.3 and 5.2). In addition to patches (the 5.4.2 and 5.3.1 updates) for the affected versions, Opsview also released a new product iteration that removed the issues from the start.

A virtual appliance deployed inside the organization’s network infrastructure, Opsview Monitor is bundled with a Web Management Console that allows for the monitoring and management of hosts and their services.

The first two issues found in the appliance could be abused to execute malicious JavaScript code in the context of a legitimate user. These are CVE-2018-16148, a reflected Cross-Site Scripting (XSS) in the ‘diagnosticsb2ksy’ parameter of the ‘/rest‘ endpoint, and CVE-2018-16147, a persistent XSS in the ‘data’ parameter of the ‘/settings/api/router‘ endpoint.

“The input will be stored without any sanitization and rendered every time the /settings section is visited by the user. […] this XSS is self-stored and it’s ex
ecuted only in the context of the victim’s session. [The] vulnerability can be exploited by an attacker to gain persistency and execute the malicious code each time the victim accesses to the settings section,” Core Security explains.

Two other vulnerabilities could allow an attacker to obtain command execution on the system as the nagios user. Tracked as CVE-2018-16146 and CVE-2018-16144, both of these are improper sanitization bugs.

Tracked as CVE-2018-16145, the fifth vulnerability could lead to local privilege escalation. An attacker could edit a specific part of a script to execute code once the appliance is rebooted (at boot, scripts impersonate the nagios user during their execution).

The bugs were reported to Opsview in early May and were confirmed within a week. The company released Opsview Monitor 6.0 at the end of July and pushed fixes for previous software iteration last week.  

Related: Network Management Systems Vulnerable to SNMP-Based Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.