Executive Summary

This vulnerability is a CORS (Cross-Origin Resource Sharing) misconfiguration in the REST API of Network Optix Nx Witness VMS versions before 6.1.2 when running in the default Standard security mode on Linux and Windows.

It allows an unauthenticated remote attacker to steal the session token of an authenticated user by tricking the user into visiting a malicious cross-origin web page.

With the stolen session token, the attacker can perform an Administrator Account Takeover, gaining full control over the system.

The High security mode is not affected by this vulnerability.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to a severe security breach where an attacker can hijack an administrator's session.

This results in an Administrator Account Takeover, allowing the attacker to control the system, potentially accessing sensitive data, modifying configurations, or disrupting services.

Because the attack requires only that the victim visits a malicious web page, it can be executed remotely without authentication.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking the CORS configuration of the Nx Witness VMS REST API, specifically whether the Access-Control-Allow-Credentials header is set to true in the Standard security mode.

You can verify the current CORS settings by querying the REST API endpoint for system settings.

• Use a command like: curl -X GET -H "Authorization: Bearer <token>" https://<nx-witness-server>/rest/v2/system/settings to retrieve current CORS settings.
• Check the value of the supportedOrigins field in the response; if it is not set to "null", the system may be vulnerable.

Additionally, you can verify if Access-Control-Allow-Credentials is set to true by inspecting HTTP responses from the REST API using tools like curl or browser developer tools.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should configure the system to disable credential sharing in CORS by setting Access-Control-Allow-Credentials to false.

• For existing installations running in Standard security mode, send a PATCH request to the REST API endpoint /rest/v2/system/settings with the body {"supportedOrigins": "null"}.
• Alternatively, select the High security mode during initial setup, which is not affected by this vulnerability.

The ultimate solution is to update Nx Witness VMS to version 6.1.2 or later, where the default Standard security configuration sets Access-Control-Allow-Credentials to false.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account Takeover via a malicious cross-origin web page. Such unauthorized access and potential data breach could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over user data and access.

By exploiting this vulnerability, attackers could gain administrative control, potentially exposing sensitive personal or health information, thereby violating confidentiality and integrity requirements mandated by these standards.

Mitigations such as updating to version 6.1.2 or later, or configuring strict CORS validation, help reduce this risk and support compliance efforts.

Useful 0 Not Useful 0