Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2021-35486 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Nokia Impact version 19.11.2.10-20210118042150283.'}, {'type': 'paragraph', 'content': "This vulnerability allows a remote attacker to import and overwrite the entire application configuration without the victim's knowledge."}, {'type': 'paragraph', 'content': 'The issue arises because the application does not validate the CSRF token for POST requests, specifically failing to check the X-CSRF-NONCE HTTP header and the CSRF-NONCE cookie.'}, {'type': 'paragraph', 'content': 'An attacker can exploit this by tricking an authenticated admin user into visiting a malicious web page that performs unauthorized configuration imports using an XMLHttpRequest.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have serious impacts as it allows a remote attacker to overwrite the entire application configuration of Nokia Impact.'}, {'type': 'paragraph', 'content': "By exploiting this flaw, an attacker can change critical settings without the administrator's consent or knowledge, potentially disrupting services or compromising system integrity."}, {'type': 'paragraph', 'content': 'Since the attack requires tricking an authenticated admin user, it can lead to unauthorized administrative actions being performed remotely.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized POST requests to the endpoint /ui/rest-proxy/entity/import that lack proper CSRF token validation.'}, {'type': 'paragraph', 'content': 'Specifically, you can look for HTTP requests missing the X-CSRF-NONCE header or the CSRF-NONCE cookie.'}, {'type': 'paragraph', 'content': 'A possible command to detect such requests in network traffic logs or web server logs could be using grep or similar tools to filter POST requests to the vulnerable endpoint.'}, {'type': 'list_item', 'content': "grep -i 'POST /ui/rest-proxy/entity/import' /var/log/nginx/access.log | grep -v 'X-CSRF-NONCE'"}, {'type': 'list_item', 'content': "grep -i 'POST /ui/rest-proxy/entity/import' /var/log/apache2/access.log | grep -v 'CSRF-NONCE'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual configuration import activities or unexpected changes in application configuration can help detect exploitation attempts.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include ensuring that the application properly validates the CSRF tokens for POST requests, specifically the X-CSRF-NONCE HTTP header and the CSRF-NONCE cookie.

If a patch or update is available from Nokia for IMPACT version 19.11.2.10-20210118042150283, apply it as soon as possible.

In the meantime, restrict access to the vulnerable endpoint /ui/rest-proxy/entity/import to trusted administrators only, and consider implementing additional network-level protections such as web application firewalls (WAF) to block unauthorized POST requests.

Educate administrators to avoid visiting untrusted or suspicious web pages while authenticated to the application to reduce the risk of CSRF exploitation.

Useful 0 Not Useful 0