ETSI Open-Source MANO Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in ETSI Open-Source MANO (OSM) versions 14.x and 15.x. The issue allows remote attackers to escalate privileges through the '/osm/admin/v1/users' component. This vulnerability arises from a broken object-level authorization, enabling authenticated users, even those with low privileges, to perform unauthorized actions on user accounts, including administrative ones.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling users to gain administrative rights and potentially take over other accounts, including those of system administrators.

Reproduction

The vulnerability can be reproduced by an authenticated user with a low-privileged role, such as 'project user'. The user can send a PATCH request to the '/osm/admin/v1/users' endpoint, targeting either a username or user UUID. The request can include a JSON payload to change user details, such as passwords or roles. This process can be automated with a brute-force attack using a tool like Wfuzz, taking advantage of the lack of authentication attempt restrictions for the default admin account.

Remediation

Users are advised to update to OSM MANO versions 14.0.3, 15.0.2, or 17.0.1. For version 16.0.0, a fix is available from a specific commit. Until updated, OSM instances should restrict IP access to the interface, deploy request throttling mechanisms, and automate blacklisting in response to excessive or anomalous request patterns.