Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-12513

Security issue disclosures, 31 Jan 2020

    XMLWordPrintable

    Details

    • Sprint:
      Horizon 2020 - March 18th, Horizon 2020 - April 1st

      Description

      Multiple security issues reported via e-mail by Johannes Moritz (RIPS Technologies), who would like to be credited in release notes.

      jmoritz and dbrinkrolf are the usernames for e-mail contact. Both are at ripstech.com.

       

      Hi,

      We found several security issues in OpenNMS with our static code analysis engine RIPS.

      The severity of the found issues is from low to critical:

      • 3 Open Redirect vulnerabilities (low)
      • 9 Reflected Cross-Site Scripting issues (medium)
      • 1 HQL Injection (critical)

      We have verified the issues with OpenNMS 25.1.2 (openjdk version "11.0.5" and xubuntu 18.04).

      You will find the details in the attached markdown file.

      I would be happy if you could credit me in the release notes or in the CVE details with "Johannes Moritz (RIPS Technologies)".

      If you have further questions, don't hesitate to contact my colleague (in CC).

      Best regards,

      Johannes Moritz

       

      Referenced markdown file follows.

      [RIPS] found 3 Open Redirect issues in the following files of OpenNMS 25.1.2:

      The first issue can be exploited via the GET parameter `redirect` by accessing the following URL:
      `http://192.168.56.102:8980/opennms/alarm/acknowledge?redirect=http://google.com&actionCode=unack&alarm=1`

      The second issue can be exploited via the GET parameter `redirect` by accessing the following URL:
      `192.168.56.102:8980/opennms/notification/acknowledge?redirect=http://google.com&notices=1`

      The third issue can be exploited via the GET parameter `redirect` by accessing the following URL:
      `http://192.168.56.102:8980/opennms/alarm/acknowledgeByFilter?redirect=http://google.com&actionCode=unack`

      For more information about fixing an OpenRedirect see:

      https://owasp.org/www-project-cheat-sheets/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

       ##Reflected Cross-Site Scripting

      We found 9 reflected XSS issues in the following files of OpenNMS 25.1.2:

      ###1. load-assets.jsp
      There are 2 reflected XSS issues in the file `load-assets.jsp`
      Both issues can be triggered without authentication.

      ###2. resultsIndexNoCount.jsp
      There are 3 XSS issues in the file `resultsIndexNoCount.jsp`. These issues require the victim to be authenticated.

      ###3. resultsIndex.jsp

      There are 3 XSS issues in the file `resultsIndex.jsp`. These issues require the victim to be authenticated.

      ###4. notification-box.jsp

      Information about fixing XSS issues can be found here:

      https://owasp.org/www-project-cheat-sheets/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

      ##HQL Injection
      There is a HQL Injection in the NodeListController endpoint of OpenNMS. The HQL injection requires privileges of the role "ROLE_USER" (low privilege user).
      The GET parameters `snmpParmValue` and `snmpParm` are concatenated into a HQL query in the function `org.opennms.web.svclayer.support.addCriteriaForSnmpParm`.
      The concatenation of user input into a database query is insecure since malicious HQL commands can be injected and arbitrary data can be read from the database.
      The following Listing shows the vulnerable function.
      ```java
      private static void addCriteriaForSnmpParm(OnmsCriteria criteria,
      String snmpParm, String snmpParmValue, String snmpParmMatchType) {
      criteria.createAlias("node.ipInterfaces", "ipInterface");
      criteria.add(Restrictions.ne("ipInterface.isManaged", "D"));
      criteria.createAlias("node.snmpInterfaces", "snmpInterface");
      criteria.add(Restrictions.ne("snmpInterface.collect", "D"));
      if(snmpParmMatchType.equals("contains"))

      { criteria.add(Restrictions.ilike("snmpInterface.".concat(snmpParm), snmpParmValue, MatchMode.ANYWHERE)); }

      else if(snmpParmMatchType.equals("equals")) {
      snmpParmValue = snmpParmValue.toLowerCase();
      criteria.add(Restrictions.sqlRestriction("

      {alias}

      .nodeid in (select nodeid from snmpinterface where snmpcollect != 'D' and lower(snmp" + snmpParm + ") = '" + snmpParmValue + "')"));
      }
      }
      ```
      When accessing the following URL we can execute the `PostgreSQL` function `pg_sleep`:
      `http://192.168.56.102:8980/opennms/element/nodeList.htm?snmpParm=collect&snmpParmValue=ab%27+and+%24%24%3D%27%24%24%3Dchr(61)||chr(39)and(select+pg_sleep(6))%3A%3Atext%3Dchr(39))+--&snmpParmMatchType=equals&listInterfaces=true`

      For more information see:

      https://owasp.org/www-community/Hibernate

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              patrick.schweizer Patrick Schweizer
              Reporter:
              jeffg Jeff Gehlbach
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: