Researchers have analyzed the network management systems offered by several vendors and discovered that they are plagued by vulnerabilities that can be exploited for cross-site scripting (XSS) and format string attacks carried out over the Simple Network Management Protocol (SNMP).
Independent researcher Matthew Kienow and Rapid7’s Tod Beardsley and Deral Heiland analyzed the network management system (NMS) products of nine vendors, including Spiceworks, Ipswitch, Castle Rock, ManageEngine, CloudView, Paessler, Opmantek, Netikus and Opsview.
NMS solutions consist of software and hardware tools that allow IT staff to monitor and discover devices on a network, including workstations, servers, printers, switches and security appliances. These products typically use the SNMP network management protocol for discovery and administration.
The problem, according to researchers, is that NMS products often fail to properly validate machine-provided input, such as the data delivered via SNMP, allowing an attacker to conduct various activities. Experts have identified and detailed three different SNMP attack vectors that can be exploited to target NMS products.
One of the attack methods has been described as passive SNMP XSS injection, where an attacker places a rogue device on the targeted network. During the NMS product’s discovery process, the malicious device sends specially crafted SNMP data that contains a persistent XSS payload. This payload gets executed in the NMS’s web-based management console when a user, typically one with administrator privileges, opens the application.
Rapid7 has determined that various versions of Spiceworks Desktop, Ipswitch WhatsUp Gold, Castle Rock SNMPc, ManageEngine OpUtils, CloudView NMS, Paessler PRTG and Opmantek NMIS are vulnerable to persistent XSS attacks.
The second attack vector also involves injecting persistent XSS payloads, but it relies on SNMP traps, which are used to deliver statuses and alerts from managed agents. Researchers found that attackers can inject their XSS payload by spoofing SNMP traps apparently coming from known devices.
“In the worst case, the attacker can simply employ a ‘spray and pray’ strategy and send unsolicited trap messages to any listening UDP/162 port using a spoofed IP address, and trust that any affected NMS will pick up the XSS attack string and embed it in the web console of those NMSs,” Rapid7 explained in its report.
Experts determined that such attacks can be conducted against various versions of Ipswitch WhatsUp Gold, Castle Rock SNMPc, Opsview Monitor, CloudView NMS, Netikus EventSentry and Opmantek NMIS.
The third attack vector described by researchers involves injecting format string exploits over SNMP. Format strings are C specifiers used to define the output of certain functions – they are typically introduced using the % character. Format string exploits occur when an application evaluates the submitted data of an input string as a command, allowing the attacker to compromise the system’s security or stability.
Sending specially crafted format string specifiers to an NMS product’s parsing engine allows an attacker to cause a denial-of-service (DoS) condition or possibly even execute arbitrary code. Only CloudView products have been found to be vulnerable to such attacks.
Each of the affected vendors was notified by Rapid7 before details were disclosed, giving them time to patch the flaws. Some of the vulnerabilities were previously disclosed by CERT/CC and Rapid7 in December 2015.
One important takeaway from this research is that while many developers have learned to address vulnerabilities caused by inadequate validation of user-provided input, machine-provided input validation is still often neglected, resulting in potentially serious security holes.
“Most people don’t think of a switch or a router as a ‘user,’ so the oft-repeated secure software design principle of ‘Do not trust user input directly’ is less likely to come to mind when designing machine-to-machine interfaces,” researchers explained. “To complicate things further, XSS strings are harmless in the context of an SNMP service (so it has no existential reason to inspect values for this kind of maliciousness), and at the same time, the SNMP service and its data store is going to be ‘trusted’ from the perspective of the web administration console.”