|
Louhi Networks Information Security Research
Security Advisory
Advisory: IBM BladeCenter Advanced Management Module
Multiple vulnerabilities
(XSS type 2 & 1, CSRF, Information Disclosure)
Release Date: 2009-04-09
Last Modified: 2009-04-09
Authors: Henri Lindberg [henri.lindberg@louhi.fi], CISA
=09
Device: IBM BladeCenter H AMM
Main application: BPET36H
Released: 03-20-08
Rev: 54
Risk: Low - Moderate
High if Web Access is in active use and
access to login page is unrestricted
Vendor Status: Vendor notified, patch available.
References: http://www.louhinetworks.fi/advisory/ibm_090409.txt
Affected devices (from vendor):
IBM BladeCenter E (1881, 7967, 8677)
IBM BladeCenter H (7989, 8852)
IBM BladeCenter HT (8740, 8750)
IBM BladeCenter S (1948, 8886)
IBM BladeCenter T (8720, 8730)
IBM BladeCenter JS12 (7998)
IBM BladeCenter JS21 (7988, 8844)
IBM BladeCenter JS22 (7998)
IBM BladeCenter HC10 (7996)
IBM BladeCenter HS12 (8014, 1916, 8028)
IBM BladeCenter HS20 (1883, 8843)
IBM BladeCenter HS21 (8853, 1885)
IBM BladeCenter HS21 XM (7995, 1915)
IBM BladeCenter LS20 (8850)
IBM BladeCenter LS21 (7971)
IBM BladeCenter LS41 (7972)
IBM BladeCenter QS21 (0792)
IBM BladeCenter QS22 (0793)
Overview:
Quotes from
http://www-03.ibm.com/systems/bladecenter/hardware/chassis/bladeh/index.html
"In today=E2=80=99s high-demand enterprise environment, organizations
need a reliable infrastructure to run compute-intensive
applications with minimal maintenance and downtime.
IBM BladeCenter H is a powerful platform built with the
enterprise customer in mind, providing industry-leading performance,
innovative architecture and a solid foundation for virtualization."
"Provides easy integration to promote innovation and help manage
growth, complexity and risk"
During a quick overview of BladeCenter AMM web access, it was
discovered that web administration interface has multiple
vulnerabilities regarding input and request validation.
Details:
Cross Site Scripting
===================
Type 2:
-------
Most serious issue discovered was the persistent XSS
vulnerability on the event log page resulting from
displaying unsanitized user input received from an invalid
login attempt.
This can be exploited without valid credentials or social
engineering. Access to device administration IP address is
needed and an administrator has to view event log at some point,
however.
Successful attack requires that an administrator visits event
log page, thus enabling the attacker to control the chassis
and blade configuration by running the injected content which
is interpreted by the administrator's browser.
For example, all blades can be shut down or new admnistrative
users can be added, depending on administrator's access rights.
Unsuccessful login attempts are displayed without HTML encoding
or input sanitation in the event log. It is possible to inject
a reference to a remote javascript file by using eg following
username:
, dynamic javascript is spilled
out on the page and it is quite easy to mess up formatting
of the event log page.
Log can be cleared by an authenticated administrator from URL:
http://1.2.3.4/private/clearlog
Event log javascript format:
parent.LogEntryArray[i++] = new LogEntry( "1","2","Audit
","SN#420420313370","09/09/08","04:20:42","Remote login failed
for user 'PATH=/etc">
Information Disclosure
=====================
A readonly operator (for example, a Blade operator with
a scope assigment to one Blade) can view security
permissions of other users (access roles and scopes) by
forcefully browsing to their respective login profile pages:
http://1.2.3.4/private/login.ssi?WEBINDEX=