For quite a while now, Rapid7 researchers Tod Beardsley and Deral Heiland have been looking for vulnerabilities in various Network Management Systems (NMSs).
With the help of independent researcher Matthew Kienow, they found over a dozen vulnerabilities affecting nine different NMS products: Castle Rock SMNPc, CloudView NMS, Ipswitch WhatsUp Gold, ManageEngine OpUtils, Netikus EventSentry, Opmantek NMIS, Opsview Monitor, Paessler PRTG, and Spiceworks Desktop.
What are Network Management Systems?
Network Management Systems are used for discovering, managing and monitoring various devices on a network (e.g. routers, switches, desktops, printers, etc.). They usually use the Simple Network Management Protocol (SNMP) to format and exchange management messages, and it’s exactly through this protocol that these systems can be attacked.
“These systems are attractive targets for attackers looking to learn more about new environments. A compromised NMS can serve as a treasure map, leading attackers to the most valuable — and perhaps non-obvious — targets, such as the printer that is responsible for payroll runs, or HR’s central server containing personally identifiable information on the employee base,” the researchers noted.
“Besides, why spend time and risk detection by scanning the network from a compromised system controlled by the attacker, when one could just piggyback on a working NMS that’s already designed to monitor the entire network population?”
The vulnerabilities they found can all be exploited through three distinct attack vectors:
- XSS attacks over SNMP agent-provided data
- XSS attacks over SNMP trap alert messages (which are sent by SNMP agents to notify the network manager of any status change)
- Format string processing on the NMS web management console (practically all modern NMSs are managed through them).
The first type of attack can be mounted by introducing a new device on the network. The NMS “discovers” it, and identifies it via SNMP data supplied by it. This data is displayed in the systems’ web-based console and can trigger an XSS attack. This type of attack requires a local attacker to be able to add a malicious device to the network.
The second type can be mounted by injecting Flash into easily spoofed SNMP trap messages that will be delivered to the management console, allowing an XSS attack string to be embedded in it. The attacker must occupy a position on the network.
The third one can also be launched via spoofed and specially crafted trap alert messages.
For more details about each of the vulnerabilities, consult this blog post.
The good news is that all the found flaws have already been patched, and users of the aforementioned products can download security updates with the fixes.