Patch Now: OpenNMS Bug Steals Data, Triggers Denial of Service

Maintainers of OpenNMS patched a high-severity vulnerability in both the community-supported and subscription-based versions of the widely used open source network monitoring software.

The XML external entity (XXE) injection vulnerability gives attackers a way to exfiltrate data from the OpenNMS file server system, send arbitrary HTTP requests to internal and external services, and trigger denial-of-service conditions on affected systems.

Platform Trusted by Cisco, GigaComm, Others

Researchers from Synopsys discovered the vulnerability in June and reported it to the maintainers of OpenNMS, who released a patch last week.

"CVE-2023-0871 impacts both Meridian and Horizon, the subscription-based and community-supported, respectively, versions of the OpenNMS network monitoring platform," says Ben Ronallo, vulnerability management engineer for Synopsys. "This platform is trusted by companies like Cisco, GigaComm, Savannah River Nuclear Solutions (SRNS), as well as others in CISA's Critical Infrastructure Sectors," he adds.

Organizations use OpenNMS to monitor their local and distributed networks for a variety of uses, including performance management, traffic monitoring, fault detection, and alarm generation. The Java-based platform supports the monitoring of both physical and virtual networks, applications, servers, business performance indications, and custom metrics.

The free version of OpenNMS Horizon is a community-driven project that includes many of the same features as the subscription-based OpenNMS Meridian version. However, it lacks the support and easier release and update cycles available with the subscription version.

Permissive XML Parser

According to Synopsys, CVE-2023-0871 stems from a permissive XML parser configuration that makes the parser prone to XML external entity attacks. An XML parser configuration is permissive if, for example, it allows external files and URLs to be referenced within XML. XXE vulnerabilities, like those discovered by Synopsys, allow an attacker to essentially interfere with an application's processing of XML data.

"CVE-2023-0871 is an XXE injection attack, which leverages the default credentials for the Realtime Console (RTC) REST API," Ronallo says. "This attack modifies trusted XML data by anticipating how the data is processed." This enables an attacker to potentially compromise other physical and/or virtual systems, view files on the system running the vulnerable app, or make HTTP requests to other systems via Server-Side Request Forgery (SSRF), he notes.

The OpenNMS project described the vulnerability as affecting OpenNMS Horizon 31.0.8 and versions prior to 32.0.2 on multiple platforms. The maintainers of the project urged organizations using affected versions of the software to update to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38, or Horizon 32.0.2 or newer. The alert reminded organizations not to make OpenNMS directly accessible over the Internet and to ensure that it is installed and used only with an organization's internal network.

"Assuming users of the platform adhere to OpenNMS' recommendation to only install within private networks, the likelihood of this attack succeeding is reduced to malicious insiders," Ronallo says. This could include a compromised user or a disgruntled employee. "However, if successfully exploited, this vulnerability could lead to system compromise."

CVE-2023-0871 is one of several vulnerabilities that researchers have uncovered in OpenNMS so far this year. Among the more serious of them are CVE-2023-0870, a cross-site request forgery issue with a CVSS score of 8.1, and present in multiple versions of OpenNMS Horizon and Meridian and CVE-2023-0846, an unauthenticated, cross-site scripting vulnerability in both OpenNMS versions.