Security Experts:

XSS, SQLi Flaws Found in Network Management Systems

Researchers have identified several vulnerabilities in the network management system (NMS) products offered by various companies.

NMS solutions are designed to allow IT teams to discover and monitor devices on a network and track a network’s performance. Deral Heiland of Rapid7 and independent researcher Matthew Kienow discovered SQL injection and cross-site scripting (XSS) vulnerabilities in NMS products from Spiceworks, Ipswitch, Castle Rock Computing and Opsview.

According to Rapid7, the web application in Spiceworks Desktop is plagued by a persistent XSS vulnerability (CVE-2015-6021) that can be exploited by an unauthenticated attacker who has access to the network segment scanned by the product. The security hole affects versions 7.3.00065, 7.3.00076 and 7.4.00075.

An attacker can set up a malicious host that uses a Simple Network Management Protocol (SNMP) agent containing an XSS payload. The malicious code is executed when the attacker’s host is scanned and when the victim visits certain pages in the web interface.

The flaw was reported to Spiceworks on September 1 and it was patched on December 1 with the release of version 7.5. The vendor says it’s not aware of any exploits for the vulnerability.

The WhatsUp Gold NMS product from Ipswitch is plagued by both stored XSS (CVE-2015-6004) and SQL injection (CVE-2015-6005) vulnerabilities.

The XSS vulnerability can be exploited by an unauthenticated attacker via SNMP during the product’s network device discovery process. The malicious code gets executed when the user views the malicious device in the web interface’s discovery console.

An unauthenticated attacker can also execute arbitrary HTML and JavaScript code by injecting it into a spoofed SNMP trap message. The code is executed when the victim views the trap information in the dashboard.

The SQL injection vulnerability in Ipswitch WhatsUp Gold can be exploited by an authenticated attacker to extract information from the database.

The vulnerabilities, which affect versions 16.3.1 and earlier, were reported by Rapid7 on September 1 and were patched on December 16 with the release of WhatsUp Gold 16.4.1. Ipswitch was first contacted about the SQL injection issue in mid-July after Owen Shearing of 7Safe reported the flaw to CERT/CC.

“At Ipswitch, we take the security of our products very seriously. As soon as the vulnerability was detected, Ipswitch developed a fix which was released on December 16 and is now available to all customers through the customer portal,” Ipswitch representatives told SecurityWeek.

A persistent XSS vulnerability (CVE-2015-6035) that can be exploited via malicious SNMP traps has also been found in Opsview. Researchers also discovered a reflected XSS vulnerability in Opsview’s NMS product.

The flaws affect versions 4.6.3 and earlier. The security holes have been fixed on November 6 with the release of Opsview 4.5.4 and 4.6.4, which address several other XSS flaws as well.

XSS and SQL injection bugs were also found in Castle Rock Computing’s SNMPc Enterprise product and its associated SNMPc OnLine reporting and monitoring tool.

The persistent XSS (CVE-2015-6027) can be exploited by an unauthenticated attacker to execute arbitrary JavaScript code in the product’s web console. Just like in the case of Ipswitch WhatsUp Gold, the malicious code can be delivered during the device discovery process or via SNMP trap messages.

The SQL injection vulnerability (CVE-2015-6028) can be leveraged by an authenticated attacker to extract information from the application database. Rapid7 has pointed out that the SQL injections found in these NMS products can easily be exploited with open source tools such as SQLMAP.

Castle Rock Computing representatives told SecurityWeek that the vulnerabilities have been confirmed and addressed by the company's engineering team. Patches have been posted to the company's help desk on December 17 and the fixes will also be included in the next full release of SNMPc (9.0.9), which is scheduled for release on January 4, 2016. 

*Updated with statement from Ipswitch and Castle Rock Computing

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.