Overview
Weak password configuration process in XoruX LPAR2RRD and STOR2RRD allows authenticated attackers having access to XoruX administration forms to collect the credentials used by XoruX to connect to monitored systems and reuse them in order to compromise them.
Details
The password fields in monitored services configuration pages contains the actual password currently used by XoruX to connect to these systems.
While these fields are HTML "password" input fields, it is trivial for an attacker to his browser's developper tools to change the field input type to "text" and get the password displayed in clear form.
Exploitation
Knowing the credentials used by XoruX to connect to the virtualization and storage infrastructure makes it trivial to spread the compromission once XoruX service has been compromized by simply reusing gathered credentials.
Solution
Security patch
XoruX fixed this vulnerability in STOR2RRD/LPAR2RRD 7.30
Workaround
Password configuration fields should only allow to set a new password for monitored services, they should not reveal the current one.
References
https://stor2rrd.com/note730.php
https://lpar2rrd.com/note730.php
https://nvd.nist.gov/vuln/detail/CVE-2021-42370
Credits
Orange CERT-CC
Simon GEUSEBROEK at Orange group
Timeline
Date reported: October 11, 2021
Date fixed: October 21, 2021
Overview
Weak password configuration process in XoruX LPAR2RRD and STOR2RRD allows authenticated attackers having access to XoruX administration forms to collect the credentials used by XoruX to connect to monitored systems and reuse them in order to compromise them.
Details
The password fields in monitored services configuration pages contains the actual password currently used by XoruX to connect to these systems.
While these fields are HTML "password" input fields, it is trivial for an attacker to his browser's developper tools to change the field input type to "text" and get the password displayed in clear form.
Exploitation
Knowing the credentials used by XoruX to connect to the virtualization and storage infrastructure makes it trivial to spread the compromission once XoruX service has been compromized by simply reusing gathered credentials.
Solution
Security patch
XoruX fixed this vulnerability in STOR2RRD/LPAR2RRD 7.30
Workaround
Password configuration fields should only allow to set a new password for monitored services, they should not reveal the current one.
References
https://stor2rrd.com/note730.php
https://lpar2rrd.com/note730.php
https://nvd.nist.gov/vuln/detail/CVE-2021-42370
Credits
Orange CERT-CC
Simon GEUSEBROEK at Orange group
Timeline
Date reported: October 11, 2021
Date fixed: October 21, 2021