Details of VAR-200912-0430

ID

VAR-200912-0430

CVE

CVE-2009-1797

TITLE

APC Network Management Card web interface vulnerable to cross-site scripting and cross-site request forgery

Trust: 0.8

sources: CERT/CC: VU#166739

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to hijack the authentication of (1) administrator or (2) device users for requests that create new administrative users or have unspecified other impact. The web management interface for the APC Network Monitoring Card (NMC) used in various APC devices contains cross-site scripting (XSS) and cross-site request forgery (CSRF/XSRF) vulnerabilities. By convincing a victim to load a specially crafted URL while authenticated to an NMC, an attacker could obtain credentials or perform certain actions as the victim, including turning off the NMC-based device and any systems attached to it. An attacker can exploit the cross-site request forgery issues to alter the settings on affected devices, which may lead to further network-based attacks. The attacker can exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. Versions prior to the following are vulnerable: Network Management Card Firmware 3.7.2 Network Management Card Firmware 5.1.1. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. 1) Input passed to various parameters (e.g. the "login_username" parameter in Forms/login1) is not properly sanitised before being returned to the user. 2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. create administrative users by tricking a logged-in administrative user into visiting a malicious web site. Vulnerability #1 is reported in APC AP7932 Switched Rack PDU version 3.3.4 with application module version 3.7.0. Other APC NMC products and versions may also be affected. SOLUTION: Filter malicious characters and character sequences using a proxy. Do not browse untrusted websites and do not follow untrusted links. Apply updated firmware versions when available. Contact the vendor for additional details. PROVIDED AND/OR DISCOVERED BY: Russ McRee, HolisticInfoSec. Vulnerability #1 also independently discovered by Jamal Pecou. ORIGINAL ADVISORY: HolisticInfoSec: http://holisticinfosec.org/content/view/111/45/ APC: http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887&p_created=1261587018&p_topview=1 Jamal Pecou: http://archives.neohapsis.com/archives/bugtraq/current/0219.html OTHER REFERENCES: US-CERT VU#166739: http://www.kb.cert.org/vuls/id/166739 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.79

sources: NVD: CVE-2009-1797 // CERT/CC: VU#166739 // JVNDB: JVNDB-2009-002512 // BID: 37338 // VULHUB: VHN-39243 // PACKETSTORM: 84238

AFFECTED PRODUCTS

vendor:	apc	model:	switched rack pdu	scope:	eq	version:	*	Trust: 1.0
vendor:	apc	model:	network management card	scope:	eq	version:	*	Trust: 1.0
vendor:	american power conversion corp	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric former name	model:	apc network management card	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric former name	model:	apc switched rack pdu	scope:	-	version:	-	Trust: 0.8
vendor:	apc	model:	network management card	scope:	-	version:	-	Trust: 0.6
vendor:	apc	model:	switched rack pdu ap7932	scope:	-	version:	-	Trust: 0.3
vendor:	apc	model:	network management card	scope:	eq	version:	0	Trust: 0.3
vendor:	apc	model:	network management card	scope:	ne	version:	5.1.1	Trust: 0.3
vendor:	apc	model:	network management card	scope:	ne	version:	3.7.2	Trust: 0.3

sources: CERT/CC: VU#166739 // BID: 37338 // JVNDB: JVNDB-2009-002512 // CNNVD: CNNVD-200912-357 // NVD: CVE-2009-1797

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2009-1797
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2009-1797
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200912-357
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-39243
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2009-1797
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-39243
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-39243 // JVNDB: JVNDB-2009-002512 // CNNVD: CNNVD-200912-357 // NVD: CVE-2009-1797

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-39243 // JVNDB: JVNDB-2009-002512 // NVD: CVE-2009-1797

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200912-357

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-200912-357

CONFIGURATIONS

sources: JVNDB: JVNDB-2009-002512

PATCH

title:

10887

url:

http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887

Trust: 0.8

sources: JVNDB: JVNDB-2009-002512

EXTERNAL IDS

db:	CERT/CC	id:	VU#166739	Trust: 3.1
db:	NVD	id:	CVE-2009-1797	Trust: 2.8
db:	SECUNIA	id:	37744	Trust: 2.7
db:	BID	id:	37338	Trust: 1.9
db:	JVNDB	id:	JVNDB-2009-002512	Trust: 0.8
db:	CNNVD	id:	CNNVD-200912-357	Trust: 0.7
db:	VULHUB	id:	VHN-39243	Trust: 0.1
db:	PACKETSTORM	id:	84238	Trust: 0.1

sources: CERT/CC: VU#166739 // VULHUB: VHN-39243 // BID: 37338 // JVNDB: JVNDB-2009-002512 // PACKETSTORM: 84238 // CNNVD: CNNVD-200912-357 // NVD: CVE-2009-1797

REFERENCES

url:	http://holisticinfosec.org/content/view/111/45/	Trust: 2.9
url:	http://secunia.com/advisories/37744	Trust: 2.5
url:	http://www.kb.cert.org/vuls/id/166739	Trust: 2.3
url:	http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887	Trust: 1.7
url:	http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887&p_created=1261587018&p_topview=1	Trust: 1.2
url:	http://www.securityfocus.com/archive/1/508468/30/60/threaded	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/508468/100/0/threaded	Trust: 0.8
url:	http://www.securityfocus.com/bid/37338/info	Trust: 0.8
url:	http://www.apcmedia.com/salestools/pmar-82bmh5_r0_en.zip	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1797	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu166739/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1797	Trust: 0.8
url:	http://www.securityfocus.com/bid/37338	Trust: 0.8
url:	http://www.apc.com	Trust: 0.3
url:	http://secunia.com/advisories/37744/	Trust: 0.1
url:	http://archives.neohapsis.com/archives/bugtraq/current/0219.html	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/business_solutions/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1

sources: CERT/CC: VU#166739 // VULHUB: VHN-39243 // BID: 37338 // JVNDB: JVNDB-2009-002512 // PACKETSTORM: 84238 // CNNVD: CNNVD-200912-357 // NVD: CVE-2009-1797

CREDITS

Jamal Pecou, Russ McRee

Trust: 0.3

sources: BID: 37338

SOURCES

db:	CERT/CC	id:	VU#166739
db:	VULHUB	id:	VHN-39243
db:	BID	id:	37338
db:	JVNDB	id:	JVNDB-2009-002512
db:	PACKETSTORM	id:	84238
db:	CNNVD	id:	CNNVD-200912-357
db:	NVD	id:	CVE-2009-1797

LAST UPDATE DATE

2025-04-10T23:13:54.609000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#166739	date:	2010-04-29T00:00:00
db:	VULHUB	id:	VHN-39243	date:	2010-06-29T00:00:00
db:	BID	id:	37338	date:	2010-02-25T17:41:00
db:	JVNDB	id:	JVNDB-2009-002512	date:	2010-03-12T00:00:00
db:	CNNVD	id:	CNNVD-200912-357	date:	2009-12-29T00:00:00
db:	NVD	id:	CVE-2009-1797	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#166739	date:	2010-02-25T00:00:00
db:	VULHUB	id:	VHN-39243	date:	2009-12-28T00:00:00
db:	BID	id:	37338	date:	2009-12-15T00:00:00
db:	JVNDB	id:	JVNDB-2009-002512	date:	2010-03-12T00:00:00
db:	PACKETSTORM	id:	84238	date:	2009-12-29T10:24:08
db:	CNNVD	id:	CNNVD-200912-357	date:	2009-12-28T00:00:00
db:	NVD	id:	CVE-2009-1797	date:	2009-12-28T19:30:00.233