SecureAuth Core
Security today published a vulnerability disclosure in
conjunction with enterprise systems monitoring software provider Opsview.
The publication of the disclosure is related to five vulnerabilities in the company’s
Opsview Monitor product, which is a virtual appliance deployed inside an
organization’s network infrastructure.
The product comes bundled with a web management console that
monitors and manages both hosts and their services. “Opsview builds monitoring
software that helps DevOps understand how the performance of their hybrid IT infrastructure &
apps impacts business service delivery,” the advisory wrote.
“Opsview Monitor supports 3500 Nagios plugins and service checks
making it easy to monitor everything from Docker and VMware to Amazon Web
Services, Hyper-V and more. Multiple vulnerabilities were found in the
Opsview Monitor, which would allow an attacker with access to the management
console to execute commands on the operating system.”
Core Security initially notified Opsview and requested GPG keys in
order to send a draft advisory on May 3, 2018. After receipt of the advisory,
Opsview said it was able to reproduce all of the vulnerabilities and planned to
release a fix by the end of July, according to the report timeline. Opsview and
Core Security continued to communicate as the company worked on the remaining
fixes. Both companies agreed on the September 4, 2018, date for advisory
publication.
Of the vulnerabilities
found, an attacker could use two of them – reflected Cross-Site Scripting (XSS)
in diagnostics and persistent XSS in settings endpoint – to execute malicious
JavaScript code in the context of a legitimate user.
The proof-of-concept (PoC) showed that “the input will be
stored without any sanitization and rendered every time the /settings section
is visited by the user. It's important to point that this XSS is self stored
and it's executed only in the context of the victim's session. However, this vulnerability can be exploited by
an attacker to gain persistency and execute the malicious code each time the
victim accesses to the settings section,” according to the advisory.
The remaining three vulnerabilities
include notification abuse leading to remote command execution, rancid test
connection functionality abuse leading to command execution and script
modification that could allow local privilege escalation.
No comments:
Post a Comment