Corero SecureWatch Managed Services 9.7.2.0020 Multiple Broken Access Control

Corero SecureWatch Managed Services 9.7.2.0020 does not correctly check swa-monitor and cns-monitor user’s privileges, allowing a user to perform actions not belonging to his role.

Product description (from vendor)

“SecureWatch Managed Services are a comprehensive suite of configuration optimization, monitoring and mitigation response services. This round-the-clock service, delivered by Corero’s highly experienced Security Operations Center, is tailored to meet the security policy requirements and business goals of each SmartWall customer that engages in a SecureWatch managed service plan.” More information is available at https://www.corero.com/product/managed-ddos-protection-services/

CVE

Root cause analysis

Users with specific roles can perform privileged operations outside of the scope of their role.

Users with the “swa-monitor” role can interact with the following HTTP API endpoints on the target host:

  • “get_snapshot_list”: used to provide a list of available snapshots
  • “get_snapshot”: used to download snapshots in pkg format
  • “get_packages”: used to provide a list of installed packages and related version
  • “get_settings”: used to provide some information about the server’s network configurations
  • “settings”: used to provide information about the splunk configuration

Furthermore, a user with the “cns-monitor” role can reach the following endpoint on the target host:

  • “/system/diagnostics”: used to manage the log files.

Proof of concept

  1. Login with user of role “swa-monitor”
  2. Get the snapshots list: https://$host:8000/it-IT/splunkd/__raw/services/get_snapshot_list
  3. Notice the reponse containing the list of available snapshots

Impact

An attacker with access to a “swa-monitor” or “cns-monitor” account can perform privileged operations and gain access to reserved information.

Remediation

Upgrade Corero SecureWatch Managed Services to version 9.7.5 or later. (Note: we didn’t verify the patch.)

Disclosure timeline

  • 01/12/2020: The vulnerability is found during an assessment for a Shielder client and reported to the vendor
  • 09/12/2020: The vendor fixes the vulnerability with the release of Corero SecureWatch Managed Services v9.7.5
  • 06/08/2021: Shielder’s advisory is made public

Credits

Giulio `linset` Casciaro from Shielder

This advisory was first published on https://www.shielder.it/it/advisories/corero_secure_watch_managed_services-multiple-broken-access-control/

Data

6 agosto 2021