Payroll printer, HR’s server – wahey… jackpot!
Network Management Systems are far more easily attacked than previously reckoned, according to new research by Rapid7.
The firm behind the popular Metasploit penetration testing tool warns that vulnerabilities in systems used to manage network elements (routers, servers, printers and more) offers attackers a “treasure map” of valuable – and perhaps non-obvious – enterprise targets, such as the printer that is responsible for payroll runs, or HR’s central server containing personally identifiable information on the employee base.

The new research from Rapid7 explores how it is often possible to attack various types of network management system (NMS) over the Simple Network Management Protocol (SNMP), a protocol used extensively by NMSes to manage and monitor a wide variety of networked devices.

Three distinct attack vectors are explored:
Passively injecting Cross-Site Scripting (XSS) attacks over SNMP agent-provided data, which is passed unprocessed from the SNMP server service and rendered on an NMS web-based administration console.
Actively injecting XSS attacks over SNMP trap alert messages, intended for NMS consoles.
Format string processing on the NMS web management console, when format strings passed unprocessed from SNMP agent-provided data.
The prevalence of the flaws is partly explained because Machine-to-machine communications “often escape the scrutiny afforded to more typical user-to-machine communication”, according to Deral Heiland, research lead at Rapid7.
Varied failures to inspect resulted in exposing NMS web-based administration consoles to persistent XSS and a format string exploit.
Rapid7’s research team uncovered 13 vulnerabilities across products from nine different vendors, all of which came as a result of a lack of validation of machine-provided input.

All nine of the vendors were notified of these issues by Rapid7 well before the publication of paper on the research on Wednesday. Products accessed included Castle Rock SMNPc, CloudView NMS, Ipswitch WhatsUp Gold, ManageEngine OpUtils, Netikus EventSentry, Opmantek NMIS, Opsview Monitor, Paessler PRTG and Spiceworks Desktop.
Users of these products are urged to ensure they are running the latest versions of the software. ®

Leave a Reply