ManageEngine OpUtils is an enterprise switch port and IP address management system. Rapid7's Deral Heiland discovered a persistent cross-site scripting (XSS) vulnerability, as well as a number of insecure direct object references. The vendor and CERT have been notified of these issues. The version tested was OpUtils 8.0, which was the most recent version at the time of initial disclosure. As of today, the current version offered by ManageEngine is OpUtils 12.0.
R7-2016-02.1: Multiple Persistent XSS Vulnerabilities
The following example shows the results of discovering a network device where the SNMP sysDescr has been set to
sysDescr 188.8.131.52.184.108.40.206 sysLocation 220.127.116.11.18.104.22.168.0 sysName 22.214.171.124.126.96.36.199.0
sysLocation triggered when viewed within IP History as shown in Figure 2 and Figure 3.
sysName triggered when viewed within device history as shown in Figure 4.
<embed src=//ld1.us/4.swf> to embed flash into the Trap Receiver section of the UI.
R7-2016-02.2: Multiple Insecure Direct Object References
During testing, it was discovered that URLs ending in .cc are accessible without proper authentication. This allowed for retrieval of a portion of the web page. The following URLs are able to be accessed without authentication:
http://IP-Address:7080/SystemExplorer.cc http://IP-Address:7080/UserView.cc http://IP-Address:7080/AuditView.cc http://IP-Address::7080/AuditViewRogue.cc http://IP-Address:7080/IPAMReport.cc http://IP-Address:7080/ipAddressManager.cc http://IP-Address:7080/ipAddressManagerInputPage.cc
As a result of this direct access without authentication, an attacker is able to view the HTML of the web page
SystemExplorer.cc. Here, it was discovered that the product's configured SNMP community string is transmitted in clear text as shown in Figure 6.
Thu, Jan 14, 2016: Issues discovered by Deral Heiland of Rapid7, Inc.
Fri, Jan 15, 2016: Initial contact to vendor
Mon, Feb 15, 2016: Details disclosed to CERT, tracked as VU#400736
Wed, Mar 9, 2016: Clarification requested by the vendor, via CERT
Thu, Mar 17, 2016: Public disclosure of R7-2016-02