SEC Consult Vulnerability Lab Security Advisory 20130507-0
===
title: Multiple vulnerabilities
product: NetApp OnCommand System Manager
vulnerable version: = 2.1 and =2.0.2
fixed version: 2.2 (only XSS fixed)
CVE: CVE-2013-3320 (XSS)
CVE-2013-3321 (File inclusion)
CVE-2013-3322 (OS command execution)
impact: medium
homepage: http://www.netapp.com/
found: 2012-11-06
by: M. Heinzl
SEC Consult Vulnerability Lab
https://www.sec-consult.com/
===
Vendor description:
---
You don't need to be a storage expert to manage NetApp storage systems.
Configuration and ongoing storage management are easy using the Web-based
OnCommand® System Manager. System Manager is the simple yet powerful
management solution for NetApp storage it'seasy for small to midsize
businesses to use and efficient for large enterprises and service providers.
Source:
http://www.netapp.com/us/products/management-software/system-manager.html
Vulnerability overview/description:
---
NetApp OnCommand System Manager suffers from multiple permanent and reflective
cross-site scripting vulnerabilities, a local file inclusion vulnerability as
well as an OS command execution vulnerability.
Malicious, authenticated users can exploit these flaws to change the contents
of the displayed site, redirect the user to other sites, steal user
credentials, execute system commands and read sensitive information.
The vendor will not fix the file inclusion and OS command execution issues,
as it is considered a design feature.
Proof of concepts:
-
1) Multiple Reflective Cross-Site Scripting Vulnerabilities (internal bug
number 654355) - CVE-2013-3320
When configuring CIFS (Configuration Protocols CIFS Configuration
Setup), JavaScript can be inserted into the parameters domain-name and
value.
Request (domain-name):
POST /zapiServlet HTTP/1.1
Host: 127.0.0.1:1195
[...]
netapp version=1.7
xmlns=http://www.netapp.com/filer/admin;cifs-setupauth-typeworkgroup/auth-typedomain-nameimg
src=x onerror=alert(1)
/domain-namesecurity-stylemultiprotocol/security-styleserver-nameFILER/server-name/cifs-setup/netapp
Furthermore, when creating new LUNs or editing already existing ones (Storage
LUNs
(Create or Edit)), JavaScript can be inserted into the parameter comment.
2) Multiple permanent cross-site scripting vulnerabilities (internal bug
number 654355) - CVE-2013-3320
When creating new users or editing already existing ones (Configuration
Local Users and Groups Users (Create or Edit)), JavaScript can be inserted
into the parameters full-name and comment.
Request (full-name):
POST /zapiServlet HTTP/1.1
Host: 127.0.0.1:1457
[...]
netapp version=1.7
xmlns=http://www.netapp.com/filer/admin;useradmin-user-modifyuseradmin-useruseradmin-user-infofull-nametestimg
src=x onerror=alert(1)
/full-namecommenttest/commentnametest/namepassword-maximum-age4294967295/password-maximum-agepassword-minimum-age0/password-minimum-ageuseradmin-groupsuseradmin-group-infonameAdministrators/name/useradmin-group-info/useradmin-groups/useradmin-user-info/useradmin-user/useradmin-user-modify/netapp
Furthermore, when creating new groups or editing already existing ones
(Configuration
Local Users and Groups Groups (Create or Edit)), JavaScript can be
inserted into the parameter comment.
When creating new shares or editing already existing ones (Storage Shares
(Create or Edit)), JavaScript can be inserted into the parameter comment.
3) Local File Inclusion (internal bug number 654357) - CVE-2013-3321 *
When retrieving log files through SnapMirror (Diagnostics SnapMirror Log),
the path can be changed to read arbitrary files from the file system.
4) OS Command Execution (internal bug number 654360) - CVE-2013-3322 *
When using the Halt/Reboot interface (Configuration System Tools
Halt/Reboot),
arbitrary OS commands can be injected.
* To exploit these issues, the attacker must be authenticated as root. The
vendor will not fix these issues, as it is considered a design feature. Hence
no proof of concept will be included within this advisory.
Vendor contact timeline:
2012-11-06: Contacting vendor through security-in...@netapp.com
2012-11-06: Initial vendor response
2012-11-07: Forwarding security advisory to vendor
2012-11-07: Vendor acknowledges that the advisory was received
2012-11-14: Asking vendor for a status update
2012-11-14: Vendor asks for more time to address the issues
2012-11-27: Asking vendor for a conference call to discuss further details
2012-11-28: Conference call scheduled for 12th of
