CVE-2019-16072 – This CVE describes a critical OS command inject... (How to Fix)

Q: What is the severity of CVE-2019-16072?

CVE-2019-16072 has a CVSS score of 9.8 (CRITICAL). This CVE describes a critical OS command injection vulnerability in NETSAS Enigma NMS that allows remote attackers to execute arbitrary commands on affected systems. Attackers can exploit this by injecting shell metacharacters into the ip_address parameter of the discover_and_manage CGI script. Organizations running Enigma NMS version 65.0.0 or earlier are affected.

📋 TL;DR

This CVE describes a critical OS command injection vulnerability in NETSAS Enigma NMS that allows remote attackers to execute arbitrary commands on affected systems. Attackers can exploit this by injecting shell metacharacters into the ip_address parameter of the discover_and_manage CGI script. Organizations running Enigma NMS version 65.0.0 or earlier are affected.

💻 Affected Systems

Products:

NETSAS Enigma NMS

Versions: 65.0.0 and prior versions

Operating Systems: Linux-based systems where Enigma NMS is deployed

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default CGI script configuration and requires no special configuration to be exploitable.

📦 What is this software?

Enigma Network Management Solution by Netsas

View all CVEs affecting Enigma Network Management Solution →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to data theft, ransomware deployment, lateral movement across the network, and persistent backdoor installation.

🟠

Likely Case

Unauthorized command execution leading to service disruption, configuration changes, and potential credential harvesting.

🟢

If Mitigated

Limited impact with proper network segmentation, but still potential for service disruption if exploited.

🌐 Internet-Facing: HIGH - CGI scripts are typically web-accessible and this vulnerability requires no authentication.

🏢 Internal Only: HIGH - Even internally accessible systems are vulnerable to authenticated or unauthenticated attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit with publicly available technical details showing the injection point in the snmp_browser action.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 65.0.0

Vendor Advisory: https://www.mogozobo.com/?p=3647

Restart Required: Yes

Instructions:

1. Contact NETSAS for updated version beyond 65.0.0. 2. Backup configuration and data. 3. Install the updated version. 4. Restart the Enigma NMS service. 5. Verify functionality.

🔧 Temporary Workarounds

Disable CGI script access

linux

Block or remove access to the vulnerable discover_and_manage CGI script

mv /path/to/enigma/cgi-bin/discover_and_manage /path/to/enigma/cgi-bin/discover_and_manage.disabled
chmod 000 /path/to/enigma/cgi-bin/discover_and_manage.disabled

Web server access control

all

Configure web server to block access to the vulnerable endpoint

# For Apache: add to .htaccess or virtual host config
<Location "/cgi-bin/discover_and_manage">
    Deny from all
</Location>
# For Nginx: add to server block
location = /cgi-bin/discover_and_manage {
    deny all;
    return 403;
}

🧯 If You Can't Patch

Implement strict network segmentation to isolate Enigma NMS from critical systems
Deploy web application firewall (WAF) rules to block command injection patterns in the ip_address parameter

🔍 How to Verify

Check if Vulnerable:

Check if Enigma NMS version is 65.0.0 or earlier and if the discover_and_manage CGI script exists in the cgi-bin directory

Check Version:

Check Enigma NMS web interface or configuration files for version information

Verify Fix Applied:

Verify version is greater than 65.0.0 and test that command injection attempts via the ip_address parameter are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual commands in web server logs containing shell metacharacters in ip_address parameter
Multiple failed or successful requests to /cgi-bin/discover_and_manage with suspicious parameters

Network Indicators:

Unusual outbound connections from Enigma NMS server
Traffic patterns suggesting reverse shell establishment

SIEM Query:

source="web_server_logs" AND uri="/cgi-bin/discover_and_manage" AND (param="ip_address" AND value MATCHES "[;&|`$()]+")

📊 Metadata

CVE ID: CVE-2019-16072

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: March 20, 2020

Last Updated: November 21, 2024

🔗 References

https://www.mogozobo.com/?p=3647 Exploit,Third Party Advisory
https://www.mogozobo.com/?p=3647 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-16072, you might also want to check these: