Summary

NethSecurity 8 logs are prone to Stored XSS

Details

On a NethSecurity 8 instance parsing logs of malicious events with XSS in it causes execution on browser looking at them. This happens due to the usage of v-html to display the log entries: if a log entry contains javascript code, it is interpreted by the browser.

PoC

Trying to login with: <img src/onerror=alert("XSS")> [and a random password] causes to store XSS on logs

Impact

This is a Stored XSS and administrators looking at the logs may be impacted (with store of session information)

Attack attempts detection

To check for any attack attempts, execute the following command:

grep '\[INFO\]\[AUTH\] authentication failed for user' /var/log/messages

Example output:

Jun  5 13:08:51 NethSec nethsecurity-api[6306]: nethsecurity_api 2024/06/05 13:08:51 middleware.go:71: [INFO][AUTH] authentication failed for user root: exit status 250

A potential indicator of an attack is the presence of JavaScript code (either in clear text or base64) in the username field.

Mitigation steps

For NethSecurity Firewall:

To mitigate this issue, follow these guidelines:

1. Avoid Accessing the Log Page: Do not access the Log page if the ns-ui package has not been updated to the version containing the fix.
2. Restrict UI Access: Restrict access to the configuration UI only from trusted IP addresses. Refer to the documentation for detailed instructions.
3. Reboot the Machine: Perform a system reboot. This will invalidate all active tokens and clean up the logs.

For NS8 Controller Application:

To mitigate this issue, follow these guidelines:

1. Avoid Accessing the Log Page: Do not access the Log page of the unit if the ns-ui package has not been updated to the version containing the fix.
2. Reboot the Unit: Perform a reboot of the unit. This will invalidate all active tokens and clean up the logs.