Prevent JavaScript injection in Operations Manager 2016 web console

Problem description

Missing input validation and output encoding allows JavaScript injection, leading to Reflected Cross Site Scripting (XSS).

Reflected Cross Site Scripting may be used to inject arbitrary JavaScript to the Microsoft System Center 2016 _authenticated _page. One may intercept the below GET request and modify the SpaceID to inject arbitrary strings into the left navigation pane of the web console.

GET/OperationsManager/InternalPages/NavigationTree.aspx?SpaceId=1002&ViewId=Favorites_Overview HTTP/1.1
Here is an example of an arbitrary string:
abc%3E%3C",“00000000-0000-0000-0000-000000000000”);alert(1);//%3E

A malicious JavaScript, once injected, can modify the current behavior of the page and deliver: trojans, force malicious redirections, content spoofing, keyloggers, content leakage, VIEWSTATE and validators’ tokens leakage (defeating anti-CSRF controls), etc.

The attack constitutes of the following steps

1. An attacker crafts a specific authenticated GET request of System Center with XSS payload and either tricks the victim to access the special URL or tricks the user to access a phishing scam that triggers the specific request.
2. The authenticated victim loads/reloads the homepage.

Note: The attack is applicable to any viewID value and every request with SpaceID query string parameter.

Test case

Expected result: Invalid SpaceID error or empty pane and no execution of random JavaScript Outcome: Arbitrary JavaScript executed.

Resolution

Implement strict input validation. Only integers are accepted as SpaceID, so the data type check against the input is sufficient to remediate the vulnerability.
We have added a check to ensure that the SpaceID is a supported value only (1001 and 1002), else the data in the tree is empty.

References

See the security guidance advisory on CVE-2020-1331.

Security classification

Reflected Cross Site Scripting, Content Spoofing