Headline
CVE-2023-0872: NMS-15703: Do not allow ROLE_REST to modify users by fooker · Pull Request #6354 · OpenNMS/opennms
The Horizon REST API includes a users endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to elevation of privilege. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization’s private networks and should not be directly accessible from the Internet.
OpenNMS thanks Erik Wynter for reporting this issue.
All Contributors
- Have you read our Contribution Guidelines?
- Have you (electronically) signed the OpenNMS Contributor Agreement?
Contribution Checklist
- Please make an issue in the OpenNMS issue tracker if there isn’t one already.
Once there is an issue, please:- update the title of this PR to be in the format: ${JIRA-ISSUE-NUMBER}: subject of pull request
- update the Jira link at the bottom of this comment to refer to the real issue number
- prefix your commit messages with the issue number, if possible
- once you’ve created this PR, please link to it in a comment in the Jira issue
Don’t worry if this sounds like a lot, we can help you get things set up properly.
- If this code is likely to affect the UI, did you name your branch with -smoke in it to trigger smoke tests?
- If this is a new or updated feature, is there documentation for the new behavior?
- If this is new code, are there unit and/or integration tests?
- If this PR targets a foundation-* branch, does it try to avoid changing files in $OPENNMS_HOME/etc/?
What’s Next?
A PR should be assigned at least 2 reviewers. If you know that someone would be a good person to review your code, feel free to add them.
If you need help making additions or changes to the documentation related to your changes, please let us know.
In any case, if anything is unclear or you want help getting your PR ready for merge, please don’t hesitate to say something in the comments here,
or in the #opennms-development chat channel.
Once reviewer(s) accept the PR and the branch passes continuous integration, the PR is eligible for merge.
At that time, if you have commit access (are an OpenNMS Group employee or a member of the OGP) you are welcome to merge the PR when you’re ready.
Otherwise, a reviewer can merge it for you.
Thanks for taking time to contribute!
External References
- Jira (Issue Tracker): https://opennms.atlassian.net/browse/NMS-15703
Related news
This Metasploit module exploits built-in functionality in OpenNMS Horizon in order to execute arbitrary commands as the opennms user. For versions 32.0.2 and higher, this module requires valid credentials for a user with ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST. For versions 32.0.1 and lower, credentials are required for a user with ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges. In that case, the module will automatically escalate privileges via CVE-2023-40315 or CVE-2023-0872 if necessary. This module has been successfully tested against OpenNMS version 31.0.7.
The Horizon REST API includes a users endpoint in OpenNMS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to elevation of privilege. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter for reporting this issue.