Article

Nozomi Stored XSS

A stored Cross-Site Scripting (XSS) vulnerability in the Nozomi Networks Guardian OS web application allows an attacker to inject JavaScript into the website. This may allow a malicious entity to gain (administrative) access to the application or perform actions on behalf of the victim user.

Background

We discovered a security issue in the Nozomi Network Guardian OS web interface. It is possible to inject JavaScript code within the function to create custom fields for the e.g. environment overview of the product due to a lack of sufficient input filtering. An attacker can inject malicious code that will later be executed by legitimate users who open the website. An attacker may perform unauthorized actions on behalf of legitimate users or spread malware via the application.

Steps to Reproduce

The application performs filtering of XSS and other injection vectors. However, this filtering somehow was not applied to this input field as well. We were able to use the put JavaScript without whitespaces and limited characters to circumvent the protection. This results in successful stored XSS.

The following code was used for the Proof of Concept:

The characters , ‘ and “ within the payload will most likely lead to not trigger the XSS.

The following pictures show how we were able to exploit the vulnerability.

Figure 1: Executed stored XSS in the node list

Figure 2: Executed stored XSS can be viewed encoded in the column selection

Root Cause

This issue exists due to insufficient input filtering in the input field of the custom field section. In order to mitigate the issue, we recommend applying input filtering to all input fields and URL parameters in the entire application to ensure that only valid input is processed (this means input filtering for the fields as well as for the field values).

Fix

We were able to verify this vulnerability in software versions below 19.0.3. However, all versions below 19.0.4 are likely affected.The vendor was informed of the finding and already implemented a fix for this issue. Therefore, updating to version 19.0.4 will mitigate the issue successfully.

Credit

Credit for finding and reporting the issue:

Jonas Becker