SecureAuth Core Security today published a vulnerability disclosure in conjunction with enterprise systems monitoring software provider Opsview. The publication of the disclosure is related to five vulnerabilities in the company’s Opsview Monitor product, which is a virtual appliance deployed inside an organization’s network infrastructure.
The product comes bundled with a web management console that monitors and manages both hosts and their services. “Opsview builds monitoring software that helps DevOps understand how the performance of their hybrid IT infrastructure & apps impacts business service delivery,” the advisory wrote.
“Opsview Monitor supports 3500 Nagios plugins and service checks making it easy to monitor everything from Docker and VMware to Amazon Web Services, Hyper-V and more. Multiple vulnerabilities were found in the Opsview Monitor, which would allow an attacker with access to the management console to execute commands on the operating system.”
Core Security initially notified Opsview and requested GPG keys in order to send a draft advisory on May 3, 2018. After receipt of the advisory, Opsview said it was able to reproduce all of the vulnerabilities and planned to release a fix by the end of July, according to the report timeline. Opsview and Core Security continued to communicate as the company worked on the remaining fixes. Both companies agreed on the September 4, 2018, date for advisory publication.
Of the vulnerabilities found, an attacker could use two of them – reflected Cross-Site Scripting (XSS) in diagnostics and persistent XSS in settings endpoint – to execute malicious JavaScript code in the context of a legitimate user.
The proof-of-concept (PoC) showed that “the input will be stored without any sanitization and rendered every time the /settings section is visited by the user. It's important to point that this XSS is self stored and it's executed only in the context of the victim's session. However, this vulnerability can be exploited by an attacker to gain persistency and execute the malicious code each time the victim accesses to the settings section,” according to the advisory.
The remaining three vulnerabilities include notification abuse leading to remote command execution, rancid test connection functionality abuse leading to command execution and script modification that could allow local privilege escalation.
Researchers Fernando Díaz and Fernando Catoira from Core Security Consulting Services discovered the vulnerabilities, and Leandro Cuozzo, a member of Core Advisories Team, coordinated the advisory publication.