XSS, SQLi bugs found in several Network Management Systems

Network Management System (NMS) offerings by Spiceworks, Ipswitch, Opsview and Castle Rock Computing have been found sporting several cross-site scripting and SQL injection flaws that could be exploited to extract information stored in databases and perform arbitrary code execution within the context of the authenticated user (and set up the stage for other attacks).

Network Management Systems come either in the form of a desktop application or a web portal, and are used by network admins to collect information about the various devices on their networks, in order to be able to keep an eye from one central location on what’s happening.

Needless to say that these applications have a privileged position on an enterprise network, and their compromise can allow attackers to carry out additional attacks more easily and potentially access assets that are be more difficult to breach.

Deral Heiland of Rapid7 and independent researcher Matthew Kienow discovered a total of six flaws affecting four NMSs, and have provided more details first to the vendors and CERT, and then to the public.

Known affected products are:

  • Spiceworks Desktop (v7.3.00065, 7.3.00076, and 7.4.00075)
  • Ipswitch WhatsUpGold (v16.2.6 and16.3.1)
  • Opsview (v4.6.3)
  • Castle Rock Computing SNMPc Enterprise (v9) and SNMPc OnLine (v12.1)

Earlier versions of some of these products could also be affected, the researchers noted.

Spiceworks and Opsview have already provided patches for their software, and Ipswitch has planned the release of the patches for yesterday (December 16), although I haven’t been able to find them on the company site. Castle Rock Computing has yet to reply to the researchers’ notification.