Many network management systems that are used to discover and monitor desktops, servers, printers, and other equipment connected to the network such as routers and switches, are vulnerable to attacks via the Simple Network Management Protocol (SNMP).
Security vendor Rapid7 says it discovered the issue when researching how attackers could leverage SNMP to target systems that rely heavily on the protocol. It decided to look at network management systems because of how attractive such systems are to attackers looking to scope a target network, and because of how extensively network management software and hardware uses SNMP to manage and monitor network devices.
The exercise led to Rapid7 finding a total of 13 vulnerabilities in network management products from nine vendors that would have let adversaries carry out sustained cross-site scripting attacks over SNMP. The nine vendors are Spiceworks, Ipswitch, Castle Rock, ManageEngine, CloudView, Paessler, Opmantek, Opsview, and Netikus. The new report consolidates the findings of Rapid7s previous research on the topic.
All of the vulnerabilities resulted from a failure to validate machine-provided input, Rapid7 said in the report. “Machine-to-machine communications often escape the scrutiny afforded to more typical user-to-machine communication,” the authors of the report noted. In this case, the oversight exposed the web-based administration consoles of the systems from the nine vendors to persistent XSS attacks and a format string exploit, Rapid7 said.
All nine vendors were notified of the issue and the vulnerabilities have subsequently been patched.
Most modern network management systems are managed via web-based interfaces, use SNMP by default to track and manage systems, and can be configured to automatically receive device SNMP data or "traps" from systems on the network.
From an attacker’s standpoint, network management systems provide an ideal target because they maintain information in near real-time about the network components they manage. Such systems can point attackers to the most valuable targets on a network including less-obvious ones like a printer doing payroll runs, or an HR server with personally identifiable information on employees, Rapid7 said.
One problem is that most network management systems implicitly trust data received from any new device on the network during the discovery process, without properly validating the input before processing it. This gives attackers a way to plant a rogue device on the network, wait for it to be discovered by the NMS and then use the rogue device to deliver a persistent XSS payload. Since network management systems are frequently monitored, most XSS payloads will get triggered fairly quickly, the security researchers at Rapid7 said.
Typically, XSS attacks involve the use of HTTP requests to the targeted web application. In this case, the researchers showed how the SNMP protocol could be used just as effectively to enable relatively easy attacks on network management systems.
For the attacks described by the researchers in the paper, an adversary would need a way to plant a rogue device on the network. The device can be a small, easy-to-hide device such as a Raspberry Pi or a Beaglebone, which are easy to drop in a conference room, behind a printer or under a desk, and go completely unnoticed, says Deral Heiland, research lead at Rapid7 and lead author of the report.
“During pen testing [and] red team exercises we have done exactly that,” he says.
“Physical access to the network to drop a rogue device would make it possible to leverage the device discovery attack we discussed in our paper,” he says. “It is also possible if a networked system is compromised via some remote method to reconfigure the device’s SNMP setting with attack code, so when the data is consumed by the NMS, the exploit would work.”