Users Vulnerable to Cross-Site Scripting Flaw in Enterprise Monitoring and Systems Management Package
BOSTON, MA – Oct. 2, 2009 - Core Security Technologies, provider of CORE IMPACT, the most comprehensive product for proactive enterprise security testing, today issued an advisory disclosing a vulnerability that could affect the many users of SpingSource’s Hyperic HQ enterprise monitoring and systems management software.
Made by SpringSource, a division of virtualization software maker VMWare, Hyperic HQ is an open source program designed to manage web applications and various elements of IT infrastructure. It auto-discovers system resources (including hardware, operating systems and databases), and is able to monitor a range of hosts and services.
“Cross-site scripting continues to represent a significant point of risk in relation to many forms of online applications and web sites, allowing for attackers to gain control of the victim’s web browsers and use them to infiltrate mission-critical systems, or redirect users to nefarious content,” said Ivan Arce, CTO of Core Security Technologies. “In this particular case, the vulnerabilities found could be used to further escalate attacks by running scripts in the server hosting the application, which exemplifies the potential of multi-staged attacks that start by exploiting simple XSS bugs.””
SpringSource has received and acknowledged the report of this vulnerability in September 2009 and addressed it with a security patch.
Information on this patch and a related security bulletin published by the vendor can be found at: http://www.springsource.com/security/hyperic-hq
For more information on this vulnerability and the systems affected, please visit:
CoreLabs initially discovered the vulnerability in Hyperic HQ as part of its ongoing research efforts. The flaw specifically affects Hyperic HQ versions 3.2, 4.0, 4.1 and the 4.2 beta release. Earlier unsupported, versions may also be affected.
The first instance, a reflected XSS vulnerability, was discovered in the product’s generic exception handler. When an un-cached exception is present in Hyperic HQ, this generic exception handler is invoked and shows a stack trace, including the data that caused the error, without sanitizing it, leading to the reflected XSS issue.
The XSS flaw can be triggered by sending invalid data for numeric parameters to Hyperiq HQ, causing the web application to print the data that caused the exception without escaping HTML characters, leading to the XSS vulnerability.
The Hyperic HQ Web interface also includes a console that allows administrators to run Groovy code directly in the Hyperic server. That code is executed in the same process as the Hyperic server. So, by exploiting any of these XSS vulnerabilities to steal an administrator cookie, and by running arbitrary Groovy code through the web console, it appears that it is not only possible to compromise the web application itself, but to fully compromise any machine on which the Hyperic software is running.
SpringSource has received and acknowledged the report of this vulnerability in September 2009 and released a security patch for affected versions of the product.
This vulnerability was discovered and researched by Gaston Rey and Pablo Carballo of CoreLabs during the Core Bugweek 2009 internal security assessment project.
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing and cryptography. Results from these efforts include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/.
About Core Security Technologies
Core Security Technologies is the leader in comprehensive penetration testing software solutions that IT executives rely on to expose vulnerabilities, measure operational risk and assure security effectiveness. The company’s CORE IMPACT product family offers a comprehensive approach to assessing the security of network systems, endpoint systems, email users and web applications against complex threats. All CORE IMPACT security testing solutions are backed by trusted vulnerability research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at: http://www.coresecurity.com.
Tim Whitman or Lauren O’Leary