Security Bulletin
Security notifications affecting the IP Fabric solution published according to our Security Incident Response policy.
Upgrade information
Upgrade information can be found in the System update section.
NIM-13396: Opengear – Prevent sudo Password From Being Logged
| Severity | Affected Versions | Fix Version |
|---|---|---|
| High | 6.3.0 and later |
6.9.4 |
Enable passwords are used for sudo, which is needed for the Neighbors
discovery task. Due to incorrect implementation, the password can be seen in
plaintext in the CLI log. This affects all customers who have discovered any
Opengear device with the Neighbors task enabled. Anyone with CLI access or
access to device log files and downloaded snapshot files created by affected
versions can obtain stored enable passwords.
Remediation
- Upgrade the IP Fabric instance to the latest version.
- If you are unable to upgrade at this moment, disable the
Neighborstask for the Vendoropengearin Settings → Discovery & Snapshots → Discovery Settings → Disabled Discovery Tasks. - Change all enable passwords stored in Settings → Discovery & Snapshots → Discovery Settings → Device Credentials → Passwords for enable mode.
SA-495: Decoding HTTP/2 Rapid Reset (CVE-2023-44487)
| Severity | Affected Versions | Fix Version |
|---|---|---|
| High | 6.2.0 or newer |
N/A |
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
This affects particularly customers who have an internet-facing IP Fabric instance.
Workaround
The issue lies in the configuration of http2 on the line listen 443 ssl http2; within the nginx configuration files. To resolve this problem, you can remove http2, restart nginx, and the issue will be resolved.
Currently, upgrading IP Fabric will overwrite the nginx files, leading to the problem recurring.
- Connect via SSH to IP Fabric VM and check which files contain
http2:sudo grep "http2" /etc/nginx/sites-enabled/*The output should look like this:
osadmin@ipfabric-632:~$ sudo grep "http2" /etc/nginx/sites-enabled/* /etc/nginx/sites-enabled/ipf-frontend: listen 443 ssl http2; /etc/nginx/sites-enabled/ipf-nimpee-update: listen 8443 ssl http2;
- Edit each file to remove the
http2string. You can either do this manually or use the following command:sudo sed -i 's/ http2//' /etc/nginx/sites-enabled/*You can verify that the
http2has been removed by running thegrepcommand:osadmin@ipfabric-632:~$ sudo grep "443" /etc/nginx/sites-enabled/* /etc/nginx/sites-enabled/ipf-frontend: listen 443 ssl; /etc/nginx/sites-enabled/ipf-nimpee-update: listen 8443 ssl;
- Restart nginx:
sudo systemctl restart nginx
NIM-9199: Privilege escalation via Admin portal
| Severity | Affected Versions | Fix Version |
|---|---|---|
| High | 5.0.2 or earlier |
6.0.1 |
A read-only user can create an escalated privilege account by taking advantage of token validation.
Tokens issued in the web app are accepted without proper validation. Using that, users of any privilege level can call an API endpoint for creating a new admin user account using their token. Then it is possible to escalate their privilege by logging in to the new account.
NIM-9023: API Token privilege escalation
| Severity | Affected Versions | Fix Version |
|---|---|---|
| High | 5.0.0, 5.0.1 or 5.0.2 | 6.0.1 |
Users can create an API token with RBAC properties that the token is not authorized for.
An API token can be generated that allows unauthorized collection of network data or modification of IP Fabric system settings.