Ramp Altimeter Stored XSS

Product Ramp Altimeter
Severity Medium
CVE Reference CVE-2020-10372
Type XSS

Description

A Stored XSS vulnerability was discovered in Ramp Altimeter that allows a malicious user to store arbitrary JavaScript payloads on the application server.

Ramp Altimeter (https://ramp.com/altitudecdn/altimeter) is a web management interface for enterprise content delivery networks. It provides a GUI for administering Ramp Multicast+ and OmniCache instances, solutions used for efficient live video streaming.

The vulnerable functionality requires authentication, and is present at http://[HOSTNAME]/vdms/ipmapping.jsp. It can be accessed by clicking the “Create…” button, and in the dialog box that appears, a malicious payload can be inserted into the “Location” field. The payload is then stored by clicking “Save” at the bottom of the dialog box.

Below is an example request that stored a malicious payload on the server:

POST /vdms/rest/services/datastore/createOrEditValueForKey?key=[REDACTED] HTTP/1.1
Host: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[REDACTED]/vdms/ipmapping.jsp
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 447
Cookie: [REDACTED]
Authorization: Basic [REDACTED]
Connection: close

{"key":"[REDACTED]","location":"<script>alert('F-Secure');</script>","country":{"shortName":"US","name":"United States","isUserAdded":false},"state":{"name":"Arkansas","isUserAdded":false},"city":{"name":"Alma","isUserAdded":false},"isManualLatLngEntry":false,"lat":"35.4778653","lng":"-94.2218752","Cidrs":[{"isNew":true,"cidrIPSubnet":"10.0.10.0/24","interfaceType":"Wired","ID":"[REDACTED]"}]}

The payload is then triggered by visiting http://[HOSTNAME]/vdms/ipmapping.jsp.

Impact

As Altimeter is typically deployed within an organization's internal network, this issue can aid an attacker who has gained a foothold in moving laterally within the the network and disrupting business operations. In particular, an attacker can use the vulnerability to target the browsers of application users. Additionally, they can gain control of the authenticated session of users who request the affected page, and can perform unauthorized actions within the application.

Remediation

In order to address the above issue, it is recommended to update to the following version of the Altimeter software, which contains a fix for the vulnerability:

AltitudeCDN Altimeter v2.4.0

Additionally, strong credentials should be used for accounts within the application, and organizations should consider only allowing access to the management interface from a white-listed set of IP addresses.

Detailed Timeline

2019-07-29 F-Secure informs the vendor of the issue in Altimeter 2.1.0
2019-07-30 Vendor confirms the vulnerability is still present in Altimeter 2.3.1
2019-07-30 F-Secure informs the vendor of intention to publish an advisory and asks for an estimated patch date
2019-07-30 Vendor informs F-Secure they plan to patch in version 2.4.0 with an ETA of late September
2019-09-18 F-Secure requests status update
2019-09-18 Vendor informs F-Secure that the patch is scheduled to be released Q1 2020
2020-01-13 F-Secure requests status update and sends draft of advisory to vendor
2020-02-10 Vendor confirms that the vulnerability is patched in version 2.4.0 and approves advisory
2020-03-10 Advisory published