Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

XSS, SQLi Flaws Found in Network Management Systems

Researchers have identified several vulnerabilities in the network management system (NMS) products offered by various companies.

Researchers have identified several vulnerabilities in the network management system (NMS) products offered by various companies.

NMS solutions are designed to allow IT teams to discover and monitor devices on a network and track a network’s performance. Deral Heiland of Rapid7 and independent researcher Matthew Kienow discovered SQL injection and cross-site scripting (XSS) vulnerabilities in NMS products from Spiceworks, Ipswitch, Castle Rock Computing and Opsview.

According to Rapid7, the web application in Spiceworks Desktop is plagued by a persistent XSS vulnerability (CVE-2015-6021) that can be exploited by an unauthenticated attacker who has access to the network segment scanned by the product. The security hole affects versions 7.3.00065, 7.3.00076 and 7.4.00075.

An attacker can set up a malicious host that uses a Simple Network Management Protocol (SNMP) agent containing an XSS payload. The malicious code is executed when the attacker’s host is scanned and when the victim visits certain pages in the web interface.

The flaw was reported to Spiceworks on September 1 and it was patched on December 1 with the release of version 7.5. The vendor says it’s not aware of any exploits for the vulnerability.

The WhatsUp Gold NMS product from Ipswitch is plagued by both stored XSS (CVE-2015-6004) and SQL injection (CVE-2015-6005) vulnerabilities.

The XSS vulnerability can be exploited by an unauthenticated attacker via SNMP during the product’s network device discovery process. The malicious code gets executed when the user views the malicious device in the web interface’s discovery console.

An unauthenticated attacker can also execute arbitrary HTML and JavaScript code by injecting it into a spoofed SNMP trap message. The code is executed when the victim views the trap information in the dashboard.

The SQL injection vulnerability in Ipswitch WhatsUp Gold can be exploited by an authenticated attacker to extract information from the database.

The vulnerabilities, which affect versions 16.3.1 and earlier, were reported by Rapid7 on September 1 and were patched on December 16 with the release of WhatsUp Gold 16.4.1. Ipswitch was first contacted about the SQL injection issue in mid-July after Owen Shearing of 7Safe reported the flaw to CERT/CC.

“At Ipswitch, we take the security of our products very seriously. As soon as the vulnerability was detected, Ipswitch developed a fix which was released on December 16 and is now available to all customers through the customer portal,” Ipswitch representatives told SecurityWeek.

A persistent XSS vulnerability (CVE-2015-6035) that can be exploited via malicious SNMP traps has also been found in Opsview. Researchers also discovered a reflected XSS vulnerability in Opsview’s NMS product.

The flaws affect versions 4.6.3 and earlier. The security holes have been fixed on November 6 with the release of Opsview 4.5.4 and 4.6.4, which address several other XSS flaws as well.

XSS and SQL injection bugs were also found in Castle Rock Computing’s SNMPc Enterprise product and its associated SNMPc OnLine reporting and monitoring tool.

The persistent XSS (CVE-2015-6027) can be exploited by an unauthenticated attacker to execute arbitrary JavaScript code in the product’s web console. Just like in the case of Ipswitch WhatsUp Gold, the malicious code can be delivered during the device discovery process or via SNMP trap messages.

The SQL injection vulnerability (CVE-2015-6028) can be leveraged by an authenticated attacker to extract information from the application database. Rapid7 has pointed out that the SQL injections found in these NMS products can easily be exploited with open source tools such as SQLMAP.

Castle Rock Computing representatives told SecurityWeek that the vulnerabilities have been confirmed and addressed by the company’s engineering team. Patches have been posted to the company’s help desk on December 17 and the fixes will also be included in the next full release of SNMPc (9.0.9), which is scheduled for release on January 4, 2016. 

*Updated with statement from Ipswitch and Castle Rock Computing

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).