Numerous Vulnerabilities Found in Zenoss Core Management Platform

Researchers have uncovered a total of 20 security holes in Zenoss Core, the free, open-source version of the application, server, and network management platform Zenoss.

According to an advisory published on Friday by the CERT Coordination Center at Carnegie Mellon University (CERT/CC), the vulnerabilities were identified and reported by Ryan Koppenhaver and Andy Schmitz of Matasano Security.

One of the most serious flaws is CVE-2014-6261, which can be exploited by a remote attacker to execute arbitrary code.

“An attacker who is able to get a victim to visit an attacker-controlled website while logged in to the Zenoss interface can execute arbitrary code on the Zenoss installation. Additionally, an attacker who is able to perform a man-in-the-middle attack between the Zenoss installation and Zenoss’ corporate ‘callhome’ server – or control the ‘callhome’ server – can execute arbitrary code on the Zenoss installation,” reads Zenoss’ description of the vulnerability.

Another serious vulnerability (CVE-2014-9246) is caused by the fact that sessions don’t expire. In order to exploit the bug, an attacker needs to obtain a targeted user’s session ID and copy it to his own computer. When the victim logs in, the attacker will be logged in as that user.

Researchers have also identified cross-site request forgery (CSRF), persistent cross-site scripting (XSS), information disclosure, open redirect, authorization bypass, and denial-of-service (DoS) vulnerabilities. In addition, the experts discovered multiple issues related to passwords, including the lack of password complexity requirements, a weak hashing algorithm, and the storing of passwords in plaintext in the session database.

These vulnerabilities have been assigned the following CVE identifiers: CVE-2014-6253, CVE-2014-6254, CVE-2014-9245, CVE-2014-6255, CVE-2014-6256, CVE-2014-9247, CVE-2014-9248, CVE-2014-6257, CVE-2014-9249, CVE-2014-6258, CVE-2014-6260, CVE-2014-9251, CVE-2014-6259, CVE-2014-6262 and CVE-2014-9252.

The vulnerabilities affect Zenoss Core 4.2.4. Two of the flaws, the session expiration bug and an open redirect in the login form (CVE-2014-6255 and CVE-2014-9246), have been addressed by Zenoss with the release of the latest Zenoss Core 4.2.5 service pack, CERT/CC said. The company is internally tracking the other bugs and plans of fixing them in a future maintenance release of Zenoss Core 5, which is currently in beta.

Zenoss does not plan on addressing CVE-2014-9250, which can be exploited by an attacker to obtain a user’s username and password by retrieving the authentication cookie. The company advises customers who want to use cookie-based authentication to ensure their installations operate over SSL/HTTPS.