Date: 22 March 2010
Related Files:
ASB-2009.1172
ASB-2009.1172.2
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2009.1172.3
Cross Site Scripting & Forgery Issue (XSS/CSRF) in APC NMC-Based Products
22 March 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: APC NMC based products
Operating System: Network Appliance
Impact/Access: Cross-site Scripting -- Existing Account
Cross-site Request Forgery -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2009-1798 CVE-2009-1797
Revision History: March 22 2010: Added details of firmware updates to
correct these vulnerabilities.
December 31 2009: Updated CVE reference
December 30 2009: Initial Release
OVERVIEW
APC (American Power Conversion) have confirmed that their Network
Management Card products are vulnerable to multiple Cross Site
Scripting and Cross Site Request Forgery vulnerabilities.
IMPACT
The vendor has provided the following details regarding these
flaws:
"As reported, the NMC is vulnerable to Cross Site Scripting (XSS)
and Cross Site Request Forgery (CSRF) attacks. As such,authentication
credentials for the NMC device can be created and transmitted to a
NMC device by an unauthorized 3rd party, or a malicious internal
user, in the context of an authenticated user's browser session,:
(1) Is allowed to execute a malicious script onto a computer by
deceiving (social engineering) an operator of such a computer;
(2) Which is not located on a private network, or network secured
in any way (e.g. behind a firewall);
(3) By an authorized user of that computer to operate programs on it
such as Internet Explorer, or Firefox;
(4) Who has the proper credentials for installing and executing
such programs on the computer itself;
(5) Who has proper credentials to access the NMC device as an
"administrator" or "device" user;
(6) Who then executes and injects, or, executes or injects such a
malicious script;
(7) While a session of the NMC is open and active.
If all of these steps are followed, and the target NMC is on an open
network (i.e. not secured on a private network, or behind any type of
firewall), a 3rd party user or malicious internal user will then have
the ability to contact the target NMC device, forge credentials to
the device and access the device as an authorized user." [1]
MITIGATION
The vendor has provided the following mitigation strategy:
"As XSS vulnerabilities base themselves in web applications, disabling
the web interface on the NMC will eliminate the possibility of such
vulnerability from occurring. Other interface methods such as Telnet,
CLI, SNMP, and serial connections are unaffected by this issue.
Note the web interface can be disabled via the config.ini or via any
other interface on the NMC itself.
Placement of NMC devices on a private or secure network (e.g. behind a
firewall) will eliminate the vulnerability of the NMC devices as the
unauthorized 3rd party user will not have access through a firewall to
reach the target NMC device.
For those who choose to accept the risk of not disabling the web
interface, as this vulnerability requires access to the network the
devices are connected to, good physical and network security to
restrict access to the network itself will significantly limit any
opportunity to attempt this narrow vulnerability. Additionally, use of
industry standard security practices such as administrator access to
computers and operations of security scanners, firewalls and other
accepted, commercially available solutions for computer security will
further mitigate the issue." [1]
***Update***
The vendor has released updated firmware to correct these
vulnerabilities. As stated in their released notes [2] firmware
version 3.7.2 addresses the vulnerabilities for certain NMC's.
Firmware version 5.1.1 also reportedly [3] addresses these
vulnerabilities. Users can get the updated firmware from the vendor's
download page [4].
REFERENCES
[1] Cross Site Scripting & Forgery Issue (XSS/CSRF) in NMC-Based
Products
http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887
[2] Release Notes
http://www.apcmedia.com/salestools/PMAR-82BMH5_R0_EN.zip
[3] Vulnerability Note VU#166739
http://www.kb.cert.org/vuls/id/166739
[4] APC Software / Firmware
http://www.apc.com/tools/download/index.cfm
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLprMX/iFOrG6YcBERAsv1AKCYKkoTi7fC4Y7f/N0Hnls97OmM1QCfa7Gc
vgtgAvhin00oLQ17IzvaMWM=
=9A9/
-----END PGP SIGNATURE-----
|