CVE-2018-6189 in Radar
Summary
by MITRE
F-Secure Radar (on-premises) before 2018-02-15 has XSS via vectors involving the Tags parameter in the JSON request body in an outbound request for the /api/latest/vulnerabilityscans/tags/batch resource, aka a "suggested metadata tags for assets" issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/30/2024
The vulnerability identified as CVE-2018-6189 affects F-Secure Radar versions prior to the February 15, 2018 release, specifically targeting the on-premises deployment configuration. This security flaw resides within the application's handling of JSON request bodies submitted to the /api/latest/vulnerabilityscans/tags/batch endpoint, which is responsible for managing suggested metadata tags for assets within the vulnerability scanning framework. The issue manifests as a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the Tags parameter, potentially compromising user sessions and enabling unauthorized access to sensitive information.
The technical implementation of this vulnerability stems from inadequate input validation and output sanitization within the application's API layer. When the system processes outbound requests containing the Tags parameter in the JSON body, it fails to properly escape or filter user-supplied data before incorporating it into the response. This failure creates an environment where malicious actors can craft specially formatted JSON payloads that include script tags or other XSS vectors. The vulnerability specifically impacts the metadata tagging functionality that administrators use to categorize and organize scanned assets, making it particularly dangerous as it could be exploited during routine administrative tasks or automated scanning processes.
The operational impact of this vulnerability extends beyond simple script injection, as it can enable attackers to perform session hijacking, steal sensitive credentials, or manipulate the application's behavior to gain unauthorized access to the vulnerability scanning system. An attacker who successfully exploits this vulnerability could potentially access the full asset inventory, modify scanning configurations, or even escalate privileges within the F-Secure Radar environment. The attack surface is particularly concerning given that this vulnerability affects the on-premises deployment, meaning organizations with internal security infrastructure are exposed to this risk, potentially allowing attackers who gain access to the network to exploit this vulnerability without requiring external network access.
Organizations should implement immediate mitigations including updating to the patched version of F-Secure Radar released on February 15, 2018, which addresses the input validation issues in the Tags parameter handling. Network segmentation and monitoring of API endpoints can provide additional layers of protection by detecting anomalous requests to the vulnerable /api/latest/vulnerabilityscans/tags/batch resource. Security teams should also consider implementing web application firewalls that can detect and block known XSS patterns in API request bodies, particularly focusing on the JSON parameter handling for tag-related operations. This vulnerability aligns with CWE-79 Cross-site Scripting and maps to ATT&CK technique T1059.007 Command and Scripting Interpreter: JavaScript, highlighting the need for comprehensive input validation across all application interfaces. The remediation process should include thorough testing of the patched environment to ensure that the vulnerability has been properly addressed without introducing regressions in functionality.
Additional security measures should include regular vulnerability assessments of the application's API endpoints, particularly focusing on input validation controls and parameter handling. Organizations should also implement proper logging and monitoring of API activity to detect suspicious patterns in tag-related requests, which could indicate exploitation attempts. The vulnerability demonstrates the importance of validating all user inputs at multiple layers of the application architecture and implementing proper output encoding for dynamic content. Security teams should also review similar API endpoints for comparable vulnerabilities and ensure that all metadata handling functions implement robust sanitization procedures to prevent similar issues from occurring in other parts of the application.