Xorux XorMon-NG Read-Only User Export Device Configuration Exposing Sensitive Information

A vulnerability exists in Xorux XorMon-NG versions through 1.8, allowing lower-level read-only web application users to access a hidden API endpoint meant for administrators. This endpoint can be used to export appliance configurations in a format that, when decrypted, reveals sensitive information such as password hashes for all users and cloud credentials in clear text. An authenticated, read-only user could exploit this to obtain and crack password hashes of more privileged users, including the admin, or to access cloud infrastructure.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information, including user password hashes and cloud credentials, potentially allowing for further exploitation of user accounts or cloud infrastructure.

Reproduction

To reproduce this vulnerability, an authenticated read-only user can send a POST request to the '/api/confporter/v1/export' endpoint. The request must include a 'Content-Type' header set to 'application/json' and a 'Cookie' header with a valid session cookie. The request body should specify the keys to be exported, such as 'hostcfg', 'users', 'groups', and 'ldaps', along with a password field set to 'undefined'. The response will be a GPG-encrypted file containing the exported configuration, which can be decrypted to access the sensitive information.

Remediation

Users are advised to update to Xorux XorMon-NG version 1.9.38, which addresses this vulnerability.