Multiple Vulnerabilities Addressed in Opsview Monitor
6.9.18 securityweek Vulnerebility
Opsview recently addressed a series of remote code-execution, command-execution and local privilege-escalation vulnerabilities in the Opsview Monitor.
A proprietary monitoring application for networks and applications, Opsview Monitor “helps DevOps teams deliver smarter business services by providing unified insight into their dynamic IT operations whether on-premises, in the cloud, or hybrid,” the company says.
The software is impacted by five vulnerabilities that could provide attackers with the ability to access the management console and execute commands on the operating system.
Discovered by Core Security researchers earlier this year, the bugs were confirmed to impact all supported versions of Opsview Monitor (5.4, 5.3 and 5.2). In addition to patches (the 5.4.2 and 5.3.1 updates) for the affected versions, Opsview also released a new product iteration that removed the issues from the start.
A virtual appliance deployed inside the organization's network infrastructure, Opsview Monitor is bundled with a Web Management Console that allows for the monitoring and management of hosts and their services.
The first two issues found in the appliance could be abused to execute malicious JavaScript code in the context of a legitimate user. These are CVE-18-16148, a reflected Cross-Site Scripting (XSS) in the 'diagnosticsb2ksy' parameter of the '/rest' endpoint, and CVE-18-16147, a persistent XSS in the 'data' parameter of the '/settings/api/router' endpoint.
“The input will be stored without any sanitization and rendered every time the /settings section is visited by the user. […] this XSS is self-stored and it's executed only in the context of the victim's session. [The] vulnerability can be exploited by an attacker to gain persistency and execute the malicious code each time the victim accesses to the settings section,” Core Security explains.
Two other vulnerabilities could allow an attacker to obtain command execution on the system as the nagios user. Tracked as CVE-18-16146 and CVE-18-16144, both of these are improper sanitization bugs.
Tracked as CVE-18-16145, the fifth vulnerability could lead to local privilege escalation. An attacker could edit a specific part of a script to execute code once the appliance is rebooted (at boot, scripts impersonate the nagios user during their execution).
The bugs were reported to Opsview in early May and were confirmed within a week. The company released Opsview Monitor 6.0 at the end of July and pushed fixes for previous software iteration last week.