High-end NMS products affected by several security issues

Sep 9, 2016 23:40 GMT  ·  By

You know you did your job as a security researcher when on the same day you release a vulnerability report, traffic all over the Internet spikes on a certain port.

This is what happened on September 7, when Rapid7 researchers Tod Beardsley and Deral Heiland, together with independent researcher Matthew Kienow, released a comprehensive report about a series of vulnerabilities affecting several high-end NMS (Network Management System) products.

For the uninitiated, NMSs are software and hardware applications used on large IT infrastructures as a way to query, centralize and manage information about devices (PCs, servers, switches, routers, printers, firewalls, etc.) connected to a specific network.

NMS products work on top of SNMP (Simple Network Management Protocol), which they use to gather information and send out commands.

To make these products more user-friendly, vendors provide a built-in GUI, usually accessible via a local URL, as a self-hosted Web application, or as a standalone desktop app.

Rapid7 report included 13 easy-to-exploit issues

The Rapid7 team has identified, reported, and helped fix 13 issues in several NMS products. Six of these issues were disclosed in December 2015, but the rest were unveiled this past week.

Affected products include Spiceworks Desktop, Ipswitch WhatsUp Gold, Castle Rock SNMPc, ManageEngine OpUtils, CloudView NMS, Paessler PRTG, Opmantek NMIS, Netikus EventSentry, and Opsview Monitor.

The researchers discovered several of these products vulnerable to simple XSS attacks, where the attacker hides malicious code in malformed SNMP packets, which execute when interpreted inside the NMS software. Additionally, some appliances were vulnerable to format string and command injection exploits.

Two days after Rapid7 released their report, Kevin Shortt from Internet Storm Center (ISC) detected a spike in activity for port 161, used by SNMP, on their honeypot servers.

Threat actors were no doubt probing for NMS equipment exposed online that they could exploit.

Port 161 activity on ISC honeypot server
Port 161 activity on ISC honeypot server

Photo Gallery (2 Images)

XSS exploit against Opmantek NMIS
Port 161 activity on ISC honeypot server
Open gallery