Users of Big Monitoring Fabric software are urged to update

Two high-risk vulnerabilities in a network traffic monitoring tool could allow a remote attacker to gain full admin rights and access the SSH console of an affected system, researchers have disclosed.

A cross-site scripting (XSS) bug in the Big Monitoring Fabric tool, discovered by security researchers at Bishop Fox, could be combined with a second flaw that meant an unauthenticated low privilege user could gain full admin access.

This sensitive information disclosure vulnerability, which revealed valid session data for admin users and RSA private keys, left open the door to a privilege escalation attack.

By combining the two flaws it is possible for a sufficiently skilled remote attacker to gain access to the SSH console of a vulnerable system.

Both security issues were patched by vendor Big Switch Networks in October 2019 after a report from security consultancy Bishop Fox, which published a technical write-up of its findings on Monday.

Its advisory explains how an attacker could exploit a stored XSS vulnerability in the <code>/login</code> endpoint by submitting an invalid username containing an XSS payload during the login process.

If an admin user navigates to the affected endpoint, the JavaScript payload would be executed – creating a backdoor admin user account in the process. The security weakness also offers a mechanism for attackers to change the default admin password.

YOU MIGHT ALSO LIKE First externally discovered flaws in Microsoft Edge (Chromium) uncovered

The sensitive information disclosure bug also makes it possible for attackers to gain access to the SSH console on vulnerable systems.

Bishop Fox’s advisory explains: “While authenticated as a user in read-only or admin groups, the API <code>/login</code><code>/api/v1/export</code> endpoint returned SSH RSA private keys and valid user session cookies, including those for administrative users.”

It added: “The SSH private keys appeared to be legitimate, but the team was unable to use them to gain further access with the keys. The admin session cookie was valid and read-only users could use it to perform vertical privilege escalation.”

A spokesman for Big Switch Networks, Prashant Gandhi, told The Daily Swig that Big Switch takes security very seriously, and delivered a patch within two weeks of being notified.

He said: “Big Switch takes security vulnerabilities very seriously, as demonstrated by our actions in this case.

“While the customer doing this assessment tested our recent BMF software version 7.1.x, we recognize that other BMF customers have deployed prior software versions.

“To minimize their inconvenience, we delivered security fixes across multiple BMF release trains (6.2, 6.3, 7.0, and 7.1).

“Exact security patch release versions are listed in the Field Notice as well as in the Bishop Fox article.

“We also proactively fixed these issues in our other two products, Big Cloud Fabric (BCF) and Multi-Cloud Director (MCD), at the same time across multiple release trains.”

Chris Davis, the security researcher at Bishop Fox who discovered the flaws, praised Big Switch Networks for its response to his disclosure.

He told The Daily Swig: “The vendor was very professional in my experience with them, they took the issue’s seriously, had a good understanding of the issues and remediated quickly.”

Gandhi added: “In addition, Big Switch constantly reviews and updates its secure coding and security testing procedures to minimize the attack surface of our products.

“We encourage customers to contact our technical support team for assistance with software upgrades.”