Corero SecureWatch Managed Services 9.7.2.0020 does not correctly check swa-monitor and cns-monitor user’s privileges, allowing a user to perform actions not belonging to his role.
“SecureWatch Managed Services are a comprehensive suite of configuration optimization, monitoring and mitigation response services. This round-the-clock service, delivered by Corero’s highly experienced Security Operations Center, is tailored to meet the security policy requirements and business goals of each SmartWall customer that engages in a SecureWatch managed service plan.” More information is available at https://www.corero.com/product/managed-ddos-protection-services/
Users with specific roles can perform privileged operations outside of the scope of their role.
Users with the “swa-monitor” role can interact with the following HTTP API endpoints on the target host:
Furthermore, a user with the “cns-monitor” role can reach the following endpoint on the target host:
https://$host:8000/it-IT/splunkd/__raw/services/get_snapshot_list
An attacker with access to a “swa-monitor” or “cns-monitor” account can perform privileged operations and gain access to reserved information.
Upgrade Corero SecureWatch Managed Services to version 9.7.5 or later. (Note: we didn’t verify the patch.)
Giulio `linset` Casciaro from Shielder
This advisory was first published on https://www.shielder.com/advisories/corero_secure_watch_managed_services-multiple-broken-access-control/
Date
6 August 2021