DX NetOps Spectrum OneClick - Web Server Uses Plain-Text Form Based Authentication vulnerability

Products

Spectrum Network Observability

Issue/Introduction

Vulnerability description - Web Server Uses Plain-Text Form Based Authentication

The below vulnerability was detected following a NetOps Spectrum upgrade.

Please advise if there are any actions that can be taken to safely remediate this vulnerability or if any additional information is needed from our end.

Scan results - below results produced from the scan

-----------------------------------------------

GET /axis2/ HTTP/1.0\nHost: <spectrum_oneclick_server_name>:8080\n\n<form class="form-signin" method="POST" action="j_security_check">\n<h1 style="padding: 5 0 10 0;" class="h3 mb-3 font-weight-normal">Log In</h1>\n<div>\n\n<label for="username" class="sr-only">Username</label>\n<p style="font-size: 13px; margin-bottom: 4px;">Username</p>\n<input type="username" name="j_username" id="username" class="form-control" required autofocus>\n</div>\n<label for="inputPassword" class="sr-only">Password</label>\n<p style="font-size: 13px; margin-top: 25px; margin-bottom: 4px;">Password</p>\n<input style="margin-top: 0px;" type="password" name="j_password" id="inputPassword" class="form-control" required>\n<div style="padding: 30 0 15 0;" class="row justify-content-end">\n<div style="max-width: 150px;" class="col ">\n<button id="login" class="btn btn-sm btn-primary btn-block" type="submit"><span style="font-size: 13px; font-weight: 500;">LOG IN</span></button>\n</div>\n</div>\n</form>\n\n\n\nget /axis2/ HTTP/1.0\nHost: <spectrum_oneclick_server_name>:8080\n\nGET /axis2/phpinfo.php HTTP/1.0\nHost: <spectrum_oneclick_server_name>:8080\n\nPOST /axis2/axis2-admin/login HTTP/1.0\nHost: <spectrum_oneclick_server_name>:8080\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 44\n\nuserName=admin&password=axis2&submit=+Login+GET /spectrum/ HTTP/1.0\nHost: <spectrum_oneclick_server_name>:8080\n\nget /spectrum/ HTTP/1.0\nHost: <spectrum_oneclick_server_name>:8080

GET /axis2/ HTTP/1.0\nHost: <spectrum_oneclick_server_name>:8443\n\n<form class="form-signin" method="POST" action="j_security_check">\n<h1 style="padding: 5 0 10 0;" class="h3 mb-3 font-weight-normal">Log In</h1>\n<div>\n\n<label for="username" class="sr-only">Username</label>\n<p style="font-size: 13px; margin-bottom: 4px;">Username</p>\n<input type="username" name="j_username" id="username" class="form-control" required autofocus>\n</div>\n<label for="inputPassword" class="sr-only">Password</label>\n<p style="font-size: 13px; margin-top: 25px; margin-bottom: 4px;">Password</p>\n<input style="margin-top: 0px;" type="password" name="j_password" id="inputPassword" class="form-control" required>\n<div style="padding: 30 0 15 0;" class="row justify-content-end">\n<div style="max-width: 150px;" class="col ">\n<button id="login" class="btn btn-sm btn-primary btn-block" type="submit"><span style="font-size: 13px; font-weight: 500;">LOG IN</span></button>\n</div>\n</div>\n</form>\n\n\n\nget /axis2/ HTTP/1.0\nHost: <spectrum_oneclick_server_name>:8443\n\nGET /axis2/phpinfo.php HTTP/1.0\nHost: <spectrum_oneclick_server_name>:8443\n\nPOST /axis2/axis2-admin/login HTTP/1.0\nHost: <spectrum_oneclick_server_name>:8443\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 44\n\nuserName=admin&password=axis2&submit=+Login+GET /spectrum/ HTTP/1.0\nHost: <spectrum_oneclick_server_name>:8443\n\nget /spectrum/ HTTP/1.0\nHost: <spectrum_oneclick_server_name>:8443

-----------------------------------------------

Environment

Release : All Supported Versions

Component : Spectrum OneClick

Cause

This issue typically occur when http connector in server.xml is enabled although https connector is used in the environment.

Below is from $SPECROOT/tomcat/conf/server.xml:

---------------------------------------------------

<Connector port="8080" URIEncoding="UTF-8" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="true" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" tcpNoDelay="true"></Connector>

or it could look like

<Connector port="8080" redirectPort="8443" URIEncoding="UTF-8" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true" acceptCount="100" connectionTimeout="20000"></Connector>

Resolution

first, backup $SPECROOT/tomcat/conf/server.xml:

then edit the original file and comment out the http connector

---------------------------------------------------

<Connector port="8080" URIEncoding="UTF-8" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="true" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" tcpNoDelay="true"></Connector>

so it looks like this:

<!-- Define a non-SSL HTTP/1.1 Connector on port 8080
<Connector port="8080" URIEncoding="UTF-8" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="true" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" tcpNoDelay="true"></Connector>

-->

************

or

<Connector port="8080" redirectPort="8443" URIEncoding="UTF-8" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true" acceptCount="100" connectionTimeout="20000"></Connector>

becomes

<!--
<Connector port="8080" redirectPort="8443" URIEncoding="UTF-8" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true" acceptCount="100" connectionTimeout="20000"></Connector>

-->

recycle the tomcat service in spectrum:

cd $SPECROOT/tomcat/bin

./stopTomcat.sh

./startTomcat.sh