6.8 - VU#166739

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	APC Network Management Card web interface vulnerable to cross-site scripting and cross-site request forgery

Informations
Name	VU#166739	First vendor Publication	2010-02-24
Vendor	VU-CERT	Last vendor Modification	2010-04-29
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score	6.8	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#166739

APC Network Management Card web interface vulnerable to cross-site scripting and cross-site request forgery

Overview

The web management interface for the APC Network Monitoring Card (NMC) used in various APC devices contains cross-site scripting (XSS) and cross-site request forgery (CSRF/XSRF) vulnerabilities. By convincing a victim to load a specially crafted URL while authenticated to an NMC, an attacker could obtain credentials or perform certain actions as the victim, including turning off the NMC-based device and any systems attached to it.

I. Description

Some APC uninterruptible power supplies (UPS) support remote network management using several types of Network Monitoring Card (NMC).

The NMC web management interface does not adequately filter user-supplied data before that data is included in dynamically generated web pages, creating cross-site scripting (XSS) vulnerabilities. One XSS vulnerability occurs in the /Forms/login1?login_username field (CVE-2009-4406). There may be other XSS vulnerabilities in the NMC web management interface (CVE-2009-1798).

The web interface also fails to adequately authenticate some requests, creating cross-site request forgery (CSRF/XSRF) vulnerabilities (CVE-2009-1797).

II. Impact

By convincing a victim to load a specially crafted URL while authenticated to an NMC, an attacker could obtain user credentials or perform certain actions as that user. It is possible to exploit the XSS vulnerabilities to obtain cookies and other page content, so an attacker could obtain administrative credentials. If the attacker were able to access the NMC directly, the attacker would have complete control and could reconfigure the UPS or turn it off, thereby turning off any systems connected to the UPS. Exploiting the CSRF vulnerabilities could allow an attacker to take certain actions via the web interface, including turning off the UPS and any connected systems.

III. Solution

Update firmware

Update NMC firmware as specified by APC. Release notes indicate that these vulnerabilities are addressed in firmware version 3.7.2 for certain NMCs. APC has indicated that the vulnerabilities are also addressed in firmware version 5.1.1.

Disable web interface

Disabling the web management interface will prevent exploitation of these vulnerabilities.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Consider setting up management networks as separate and dedicated channels. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing an NMC using stolen credentials from a blocked network location.

Systems Affected

Vendor	Status	Date Notified	Date Updated
American Power Conversion Corp.	Vulnerable		2010-02-24

References

http://holisticinfosec.org/content/view/111/45/
http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887&p_created=1261587018&p_topview=1
http://www.securityfocus.com/archive/1/508468/30/60/threaded
http://www.securityfocus.com/archive/1/508468/100/0/threaded
http://www.securityfocus.com/bid/37338/info
http://www.apcmedia.com/salestools/PMAR-82BMH5_R0_EN.zip

Credit

These vulnerabilities were researched and reported by Russ McRee. Jamal Pecou also reported CVE-2009-4406.

This document was written by Art Manion.

Other Information

Date Public:	2009-12-14
Date First Published:	2010-02-24
Date Last Updated:	2010-04-29
CERT Advisory:
CVE-ID(s):	CVE-2009-1797; CVE-2009-1798; CVE-2009-4406
NVD-ID(s):	CVE-2009-1797 CVE-2009-1798 CVE-2009-4406
US-CERT Technical Alerts:
Metric:	0.00
Document Revision:	27

Original Source

Url : http://www.kb.cert.org/vuls/id/166739

CWE : Common Weakness Enumeration

%	Id	Name
67 %	CWE-79	Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
33 %	CWE-352	Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)

CPE : Common Platform Enumeration

Type	Description	Count
Application	Apc Ap7932 B2 Firmware cpe:2.3:a:apc:ap7932_b2_firmware:3.7.0:::::::* cpe:2.3:a:apc:ap7932_b2_firmware:3.3.3:::::::*	2
Hardware	Apc Ap7932 B2 cpe:2.3:h:apc:ap7932_b2::::::::	1
Hardware	Apc Network Management Card cpe:2.3:h:apc:network_management_card::::::::	1
Hardware	Apc Switched Rack Pdu cpe:2.3:h:apc:switched_rack_pdu::::::::	1

Open Source Vulnerability Database (OSVDB)

Id	Description
61289	APC NMC Multiple Products Admin User Creation CSRF APC NMC Multiple Products contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.
61288	APC NMC Multiple Products Forms/login1 Multiple Parameter XSS APC NMC Multiple Products contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate multiple parameters upon submission. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Description

61289

APC NMC Multiple Products Admin User Creation CSRF

APC NMC Multiple Products contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

61288

APC NMC Multiple Products Forms/login1 Multiple Parameter XSS

APC NMC Multiple Products contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate multiple parameters upon submission. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Alert History

If you want to see full details history, please login or register.

Date	Informations
2013-05-11 00:56:53	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	3
CPE ID(s)	5
osvdb(s)	2

	Related
6.8	CVE-2009-1797
4.3	CVE-2009-4406
4.3	CVE-2009-1798
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 3 more Alert(s)