OpenNMS, a popular open-source network monitoring software, has been found to have a high-severity vulnerability. This flaw, known as an XML external entity (XXE) injection vulnerability, allows attackers to extract data from the OpenNMS file server system, send random HTTP requests to both internal and external services, and cause denial-of-service conditions on the affected systems. The vulnerability was discovered by researchers from Synopsys in June and was reported to the maintainers of OpenNMS, who subsequently released a patch.
Ben Ronallo, a vulnerability management engineer for Synopsys, stated, "CVE-2023-0871 impacts both Meridian and Horizon, the subscription-based and community-supported, respectively, versions of the OpenNMS network monitoring platform." He further noted that this platform is trusted by companies like Cisco, GigaComm, Savannah River Nuclear Solutions (SRNS), and others in CISA's Critical Infrastructure Sectors.
OpenNMS is used by organizations to monitor their local and distributed networks for performance management, traffic monitoring, fault detection, and alarm generation. The platform, which is Java-based, supports the monitoring of both physical and virtual networks, applications, servers, business performance indications, and custom metrics. While the free version of OpenNMS Horizon is a community-driven project with many of the same features as the subscription-based OpenNMS Meridian version, it lacks the support and easier release and update cycles available with the subscription version.
Synopsys explained that CVE-2023-0871 arises from a permissive XML parser configuration that leaves the parser vulnerable to XML external entity attacks. XXE vulnerabilities like this one allow an attacker to interfere with an application's processing of XML data. Ronallo elaborated, "CVE-2023-0871 is an XXE injection attack, which leverages the default credentials for the Realtime Console (RTC) REST API." He added that this attack manipulates trusted XML data by anticipating how the data is processed, which allows an attacker to potentially compromise other systems, view files on the system running the vulnerable app, or make HTTP requests to other systems via Server-Side Request Forgery (SSRF).
The OpenNMS project acknowledged the vulnerability as affecting OpenNMS Horizon 31.0.8 and versions prior to 32.0.2 on multiple platforms. They urged organizations using affected versions of the software to update to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38, or Horizon 32.0.2 or newer. They also advised organizations not to make OpenNMS directly accessible over the Internet and to ensure that it is installed and used only within an organization's internal network. Ronallo pointed out that if users of the platform follow OpenNMS' recommendation to only install within private networks, the likelihood of this attack succeeding is reduced to malicious insiders, such as a compromised user or a disgruntled employee. However, if successfully exploited, this vulnerability could lead to system compromise.
This year, researchers have discovered several vulnerabilities in OpenNMS, including CVE-2023-0870, a cross-site request forgery issue with a CVSS score of 8.1, and CVE-2023-0846, an unauthenticated, cross-site scripting vulnerability. Both of these vulnerabilities are present in multiple versions of OpenNMS Horizon and Meridian.