Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title IPswitch WhatsUp Gold contains multiple XSS vulnerabilities and a SQLi
Informations
Name VU#176160 First vendor Publication 2015-12-16
Vendor VU-CERT Last vendor Modification 2015-12-27
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Cvss Base Score 6.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#176160

IPswitch WhatsUp Gold contains multiple XSS vulnerabilities and a SQLi

Original Release date: 16 Dec 2015 | Last revised: 27 Dec 2015

Overview

IPSwitch's WhatsUp Gold version 16.3, and possibly previous versions, is vulnerable to SQL injection and cross-site scripting attacks.

Description

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2015-6004

The "Find Device" search field does not properly neutralize user input, allowing an unauthenticated (e.g., the guest account) attacker to perform SQL queries and commands by inserting ticks or percent characters.

The "UniqueID" parameter does not sufficiently sanitize user-provided input, leading to a complete compromise of the database associated with the WhatsUpGold application. This parameter is only accessible post-authentication. For more information, please see Rapid7's advisory R7-2015-19.

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2015-6005

A stored XSS vulnerability can be triggered by poisoning certain SNMP OID objects and waiting for a WhatsUpGold instance to query the SNMP endpoint. SNMP trap messages may also be used. For more information, please see Rapid7's advisory R7-2015-19.

Furthermore, the following user input fields do not properly neutralize user input, allowing an attacker to perform stored XSS attacks:

  • View Names
  • Group Names
  • Flow Monitor Credentials and Threshold Name
  • Task Library Name and Description
  • Policy Library Name and Description
  • Template Library Name and Description
  • System Script Library Name and Description
  • CLI Settings Library Description

These fields appear to be only accessible by privileged accounts (e.g., administrator accounts) and therefore are unlikely to be exploited in practice.

According to the reporters, WhatsUp Gold version 16.3 is affected by these vulnerabilities. Other versions may also be affected.

The CVSS score below is based on CVE-2015-6004.

Impact

An unauthenticated remote attacker may perform SQL commands on the backend database. An administrator may be able to perform cross-site scripting attacks on other administrators and users.

Solution

Apply an update

IPSwitch has released WhatsUp Gold version 16.4 to address these issues. Affected users should update as soon as possible.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Ipswitch, IncAffected16 Jul 201508 Sep 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal5.9E:POC/RL:OF/RC:C
Environmental4.4CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

  • https://community.rapid7.com/community/infosec/blog/2015/12/16/multiple-disclosures-for-multiple-network-management-systems

Credit

Thanks to an anonymous researcher working with Beyond Security's SSD program, Owen Shearing of 7Safe Ltd., and Rapid7 for independently reporting SQL injection issues to us. Thanks to the anonymous researcher and Rapid7 for also reporting cross-site scripting vulnerabilities.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2015-6004CVE-2015-6005
  • Date Public:16 Dec 2015
  • Date First Published:16 Dec 2015
  • Date Last Updated:27 Dec 2015
  • Document Revision:66

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/176160

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)
50 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 11

Nessus® Vulnerability Scanner

Date Description
2016-02-15 Name : An application running on the remote host is affected by multiple vulnerabili...
File : ipswitch_whatsup_gold_remote_16_4_0.nasl - Type : ACT_GATHER_INFO
2016-01-22 Name : An application installed on the remote host is affected by multiple vulnerabi...
File : ipswitch_whatsup_gold_16_4_0.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
Date Informations
2016-02-16 13:27:40
  • Multiple Updates
2016-01-23 13:25:19
  • Multiple Updates
2015-12-28 21:28:58
  • Multiple Updates
2015-12-28 00:23:46
  • Multiple Updates
2015-12-27 09:27:40
  • Multiple Updates
2015-12-21 21:22:57
  • Multiple Updates
2015-12-16 21:23:24
  • First insertion