Opsview publishes new vulnerabilities report

Share this…

The flaws could allow code execution

Ethical hacking specialists have recently published a vulnerability report jointly with the enterprise systems monitoring software provider Opsview. The publication is related to five vulnerabilities in the company’s Opsview Monitor product, which is a virtual device deployed within an organization’s network infrastructure.

The product comes bundled with a web management console that monitors and manages hosts and their services. The vulnerability report states that “Opsview builds monitoring software that helps developers understand how the performance of their hybrid IT infrastructure and applications impact the delivery of commercial services”.

Opsview Monitor supports 3500 Nagios plugins and service checks that make it easy to control everything from Docker and VMware to Amazon Web Services, Hyper-V and more. Multiple vulnerabilities were found on Opsview Monitor, which would allow an attacker with access to the management console to execute commands on the operating system.

In principle, a team of ethical hacking experts notified Opsview and requested GPG keys to submit a draft report on May 3, 2018. After receiving the notice, Opsview reported that they were able to reproduce all the vulnerabilities and planned to launch a solution by the end of July, according to the report timeline. Opsview and the specialists continued in communication while the company was working on the remaining corrections. Both parties agreed to publish the full vulnerability report at the beginning of September.

According to ethical hacking specialists from the International Institute of Cyber Security, of the found vulnerabilities, an attacker could use two of them (reflected cross-site scripts in diagnostics and persistent cross-site scripts in the configuration endpoint) to run malicious JavaScript code in the context of a legitimate user.

The proof of concept showed that the input will be stored without any sanitizing process and will be processed every time the “Settings” section is visited by the user. It is important to note that this XSS is automatically stored and runs only in the context of the victim’s session. However, an attacker can exploit this vulnerability to gain persistence and execute malicious code every time the victim accesses the configuration section.

The three remaining vulnerabilities include abuse of notifications leading to remote command execution, abuse of the test connection functionality that leads to command execution and script modification that could allow escalation of local privileges.