Castle Rock SNMPc Security Advisories - SQL-Injection / Persistent XSS (CVE-2015-6027 & CVE-2015-6028)

Multiple Disclosures for Multiple Network Management Systems

Posted by todb (Rapid7 Community)  Dec 16, 2015.

Recently Rapid7 recently disclosed several vulnerabilities affecting several Network Management System (NMS) products. These issues were discovered by Deral Heiland of Rapid7 and independent researcher Matthew Kienow, and reported to vendors and CERT for coordinated disclosure per Rapid7's disclosure policy.  Below is the table showing just the products that Teneo support which are affected:

Update (Dec 17, 2015): Castle Rock Computing has released patches, available to customers at the vendor's support site.

R7-2015-20, XSS and SQLi via SNMP in Castle Rock Computing SNMPc

Summary

The Castle Rock Computing product SNMPc Enterprise and its web based reporting/monitoring tool SNMPc OnLine is vulnerable to a persistent Cross Site Scripting (XSS) vulnerability. The XSS issues do not require any prior authentication, while the SQLi issue does require authentication as a regularly privileged user.

Credit: These issues were discovered by Deral Heiland, Principal Consultant at Rapid7's Global Services.

Products Affected

The following versions were tested and exploited successfully.

•     SNMPc Enterprise Version 9
•     SNMPc OnLine Version 12.1

R7-2015-20.1, Persistent XSS (CVE-2015-6027)

While examining the Castle Rock product SNMPc Enterprise and its web based reporting/monitoring tool SNMPc OnLine, it was discovered that SNMPc Online was vulnerable to a persistent Cross Site Scripting (XSS) vulnerability. This vulnerability allows a malicious actor to inject persistence XSS containing JavaScript into a number of fields within the product. When this data (JavaScript) is viewed within the web console the JavaScript code will execute within the context of the authenticated user. This will allow a malicious actor to conduct attacks which can be used to modify the system's configuration, compromise data, take control of the product or launch attacks against the authenticated user’s host system.

These persistent XSS attacks were delivered to SNMPc product via a couple different means. The first method the XSS was delivered using the SNMPc’s discovery process. The second method of injection involved SNMP trap messages. By spoofing an SNMP trap message and altering the data within that trap message a malicious actor could inject HTML and JavaScript code into the product.

SNMPc OnLine Security Vulnerability Patch

Posted: 2015-12-17 11:36

The following information from the Castle Rock Support Site.

 A security vulnerability was discovered in SNMPc OnLine versions 12.1.7 and below. You should update to the latest version of SNMPc (SNMPc 9.0.8 / OnLine 12.1.7), then install the fix posted in the Software Download area of the helpdesk.

To apply the patches, unzip the attachment to the "SNMPcOnLine\pub" directory, overwriting the original files.  This fix will be included in the next release.

Keep up to date with the latest news

We will be keeping up to date with all the latest information and updates, so please get in touch with any questions or concerns at support@teneo.net

To keep up to date with what we know, follow us on Twitter