-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2009.1172.2 Cross Site Scripting & Forgery Issue (XSS/CSRF) in APC NMC-Based Products 31 December 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: APC NMC based products Operating System: Network Appliance Impact/Access: Cross-site Scripting -- Existing Account Cross-site Request Forgery -- Existing Account Resolution: Mitigation CVE Names: CVE-2009-1798 CVE-2009-1797 Member content until: Friday, January 29 2010 Revision History: December 31 2009: Updated CVE reference December 30 2009: Initial Release OVERVIEW APC (American Power Conversion) have confirmed that their Network Management Card products are vulnerable to multiple Cross Site Scripting and Cross Site Request Forgery vulnerabilities. IMPACT The vendor has provided the following details regarding these flaws: "As reported, the NMC is vulnerable to Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) attacks. As such,authentication credentials for the NMC device can be created and transmitted to a NMC device by an unauthorized 3rd party, or a malicious internal user, in the context of an authenticated user's browser session,: (1) Is allowed to execute a malicious script onto a computer by deceiving (social engineering) an operator of such a computer; (2) Which is not located on a private network, or network secured in any way (e.g. behind a firewall); (3) By an authorized user of that computer to operate programs on it such as Internet Explorer, or Firefox; (4) Who has the proper credentials for installing and executing such programs on the computer itself; (5) Who has proper credentials to access the NMC device as an "administrator" or "device" user; (6) Who then executes and injects, or, executes or injects such a malicious script; (7) While a session of the NMC is open and active. If all of these steps are followed, and the target NMC is on an open network (i.e. not secured on a private network, or behind any type of firewall), a 3rd party user or malicious internal user will then have the ability to contact the target NMC device, forge credentials to the device and access the device as an authorized user." [1] MITIGATION The vendor has provided the following mitigation strategy: "As XSS vulnerabilities base themselves in web applications, disabling the web interface on the NMC will eliminate the possibility of such vulnerability from occurring. Other interface methods such as Telnet, CLI, SNMP, and serial connections are unaffected by this issue. Note the web interface can be disabled via the config.ini or via any other interface on the NMC itself. Placement of NMC devices on a private or secure network (e.g. behind a firewall) will eliminate the vulnerability of the NMC devices as the unauthorized 3rd party user will not have access through a firewall to reach the target NMC device. For those who choose to accept the risk of not disabling the web interface, as this vulnerability requires access to the network the devices are connected to, good physical and network security to restrict access to the network itself will significantly limit any opportunity to attempt this narrow vulnerability. Additionally, use of industry standard security practices such as administrator access to computers and operations of security scanners, firewalls and other accepted, commercially available solutions for computer security will further mitigate the issue." [1] REFERENCES [1] Cross Site Scripting & Forgery Issue (XSS/CSRF) in NMC-Based Products http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887 [2] Vulnerability Summary for CVE-2009-1798 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1798 [3] Vulnerability Summary for CVE-2009-1797 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1797 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFLO9piNVH5XJJInbgRAkQWAJ9f+K0Cr3gLKdRg8LniepnfjmHSiQCfUb+C GKzFuF1JprbplC/nThfNfxk= =TB8M -----END PGP SIGNATURE-----