Details of VAR-200912-0431

ID

VAR-200912-0431

CVE

CVE-2009-1798

TITLE

APC Network Management Card web interface vulnerable to cross-site scripting and cross-site request forgery

Trust: 0.8

sources: CERT/CC: VU#166739

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the login_username vector for Forms/login1 is already covered by CVE-2009-4406. By convincing a victim to load a specially crafted URL while authenticated to an NMC, an attacker could obtain credentials or perform certain actions as the victim, including turning off the NMC-based device and any systems attached to it. An attacker can exploit the cross-site request forgery issues to alter the settings on affected devices, which may lead to further network-based attacks. The attacker can exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. Versions prior to the following are vulnerable: Network Management Card Firmware 3.7.2 Network Management Card Firmware 5.1.1. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. 1) Input passed to various parameters (e.g. the "login_username" parameter in Forms/login1) is not properly sanitised before being returned to the user. 2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. create administrative users by tricking a logged-in administrative user into visiting a malicious web site. Vulnerability #1 is reported in APC AP7932 Switched Rack PDU version 3.3.4 with application module version 3.7.0. Other APC NMC products and versions may also be affected. SOLUTION: Filter malicious characters and character sequences using a proxy. Do not browse untrusted websites and do not follow untrusted links. Apply updated firmware versions when available. Contact the vendor for additional details. PROVIDED AND/OR DISCOVERED BY: Russ McRee, HolisticInfoSec. Vulnerability #1 also independently discovered by Jamal Pecou. ORIGINAL ADVISORY: HolisticInfoSec: http://holisticinfosec.org/content/view/111/45/ APC: http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887&p_created=1261587018&p_topview=1 Jamal Pecou: http://archives.neohapsis.com/archives/bugtraq/current/0219.html OTHER REFERENCES: US-CERT VU#166739: http://www.kb.cert.org/vuls/id/166739 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.79

sources: NVD: CVE-2009-1798 // CERT/CC: VU#166739 // JVNDB: JVNDB-2009-002513 // BID: 37338 // VULHUB: VHN-39244 // PACKETSTORM: 84238

AFFECTED PRODUCTS

vendor:	apc	model:	switched rack pdu	scope:	eq	version:	*	Trust: 1.0
vendor:	apc	model:	network management card	scope:	eq	version:	*	Trust: 1.0
vendor:	american power conversion corp	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric former name	model:	apc network management card	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric former name	model:	apc switched rack pdu	scope:	-	version:	-	Trust: 0.8
vendor:	apc	model:	network management card	scope:	-	version:	-	Trust: 0.6
vendor:	apc	model:	switched rack pdu ap7932	scope:	-	version:	-	Trust: 0.3
vendor:	apc	model:	network management card	scope:	eq	version:	0	Trust: 0.3
vendor:	apc	model:	network management card	scope:	ne	version:	5.1.1	Trust: 0.3
vendor:	apc	model:	network management card	scope:	ne	version:	3.7.2	Trust: 0.3

sources: CERT/CC: VU#166739 // BID: 37338 // JVNDB: JVNDB-2009-002513 // CNNVD: CNNVD-200912-358 // NVD: CVE-2009-1798

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2009-1798
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2009-1798
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200912-358
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-39244
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2009-1798
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-39244
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-39244 // JVNDB: JVNDB-2009-002513 // CNNVD: CNNVD-200912-358 // NVD: CVE-2009-1798

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-39244 // JVNDB: JVNDB-2009-002513 // NVD: CVE-2009-1798

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200912-358

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-200912-358

CONFIGURATIONS

sources: JVNDB: JVNDB-2009-002513

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-39244

PATCH

title:

10887

url:

http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887

Trust: 0.8

sources: JVNDB: JVNDB-2009-002513

EXTERNAL IDS

db:	CERT/CC	id:	VU#166739	Trust: 3.1
db:	NVD	id:	CVE-2009-1798	Trust: 2.8
db:	SECUNIA	id:	37744	Trust: 2.7
db:	BID	id:	37338	Trust: 1.9
db:	JVNDB	id:	JVNDB-2009-002513	Trust: 0.8
db:	CNNVD	id:	CNNVD-200912-358	Trust: 0.7
db:	EXPLOIT-DB	id:	33405	Trust: 0.1
db:	SEEBUG	id:	SSVID-86627	Trust: 0.1
db:	VULHUB	id:	VHN-39244	Trust: 0.1
db:	PACKETSTORM	id:	84238	Trust: 0.1

sources: CERT/CC: VU#166739 // VULHUB: VHN-39244 // BID: 37338 // JVNDB: JVNDB-2009-002513 // PACKETSTORM: 84238 // CNNVD: CNNVD-200912-358 // NVD: CVE-2009-1798

REFERENCES

url:	http://holisticinfosec.org/content/view/111/45/	Trust: 2.9
url:	http://secunia.com/advisories/37744	Trust: 2.5
url:	http://www.kb.cert.org/vuls/id/166739	Trust: 2.3
url:	http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887	Trust: 1.7
url:	http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=10887&p_created=1261587018&p_topview=1	Trust: 1.2
url:	http://www.securityfocus.com/archive/1/508468/30/60/threaded	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/508468/100/0/threaded	Trust: 0.8
url:	http://www.securityfocus.com/bid/37338/info	Trust: 0.8
url:	http://www.apcmedia.com/salestools/pmar-82bmh5_r0_en.zip	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1798	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu166739/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1798	Trust: 0.8
url:	http://www.securityfocus.com/bid/37338	Trust: 0.8
url:	http://www.apc.com	Trust: 0.3
url:	http://secunia.com/advisories/37744/	Trust: 0.1
url:	http://archives.neohapsis.com/archives/bugtraq/current/0219.html	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/business_solutions/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1

sources: CERT/CC: VU#166739 // VULHUB: VHN-39244 // BID: 37338 // JVNDB: JVNDB-2009-002513 // PACKETSTORM: 84238 // CNNVD: CNNVD-200912-358 // NVD: CVE-2009-1798

CREDITS

Jamal Pecou, Russ McRee

Trust: 0.9

sources: BID: 37338 // CNNVD: CNNVD-200912-358

SOURCES

db:	CERT/CC	id:	VU#166739
db:	VULHUB	id:	VHN-39244
db:	BID	id:	37338
db:	JVNDB	id:	JVNDB-2009-002513
db:	PACKETSTORM	id:	84238
db:	CNNVD	id:	CNNVD-200912-358
db:	NVD	id:	CVE-2009-1798

LAST UPDATE DATE

2025-04-10T23:13:54.530000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#166739	date:	2010-04-29T00:00:00
db:	VULHUB	id:	VHN-39244	date:	2010-06-29T00:00:00
db:	BID	id:	37338	date:	2010-02-25T17:41:00
db:	JVNDB	id:	JVNDB-2009-002513	date:	2010-03-12T00:00:00
db:	CNNVD	id:	CNNVD-200912-358	date:	2009-12-29T00:00:00
db:	NVD	id:	CVE-2009-1798	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#166739	date:	2010-02-25T00:00:00
db:	VULHUB	id:	VHN-39244	date:	2009-12-28T00:00:00
db:	BID	id:	37338	date:	2009-12-15T00:00:00
db:	JVNDB	id:	JVNDB-2009-002513	date:	2010-03-12T00:00:00
db:	PACKETSTORM	id:	84238	date:	2009-12-29T10:24:08
db:	CNNVD	id:	CNNVD-200912-358	date:	2009-12-28T00:00:00
db:	NVD	id:	CVE-2009-1798	date:	2009-12-28T19:30:00.267