Multiple Vulnerabilities in Snipe-IT Allow for Code Execution and Privilege Escalation

The German BSI has reported multiple vulnerabilities in Snipe-IT, a web-based IT asset management system. These vulnerabilities, if exploited, could allow an attacker to perform a range of malicious activities, from relatively minor cross-site scripting (XSS) attacks and user redirection to more severe outcomes like gaining administrator privileges or achieving arbitrary code execution on the server. The report does not specify which versions of Snipe-IT are affected or whether these vulnerabilities are being actively exploited in the wild, but the potential impact necessitates immediate attention from security teams managing Snipe-IT deployments.

Attack Chain

1. An attacker identifies a vulnerable endpoint in Snipe-IT susceptible to XSS.
2. The attacker crafts a malicious payload containing JavaScript code.
3. The attacker injects the payload into the vulnerable Snipe-IT endpoint, possibly through a crafted URL or form input.
4. A legitimate user accesses the compromised endpoint, causing their browser to execute the attacker’s injected JavaScript.
5. The JavaScript code redirects the user to a malicious website controlled by the attacker.
6. (If XSS leads to session hijacking) The attacker steals the user’s session cookie, allowing them to impersonate the user.
7. (If XSS targets an admin) The attacker uses the hijacked admin session to elevate privileges within Snipe-IT.
8. The attacker leverages the elevated privileges to execute arbitrary code on the Snipe-IT server, potentially gaining complete control of the system and its data.

Impact

Successful exploitation of these vulnerabilities could have significant consequences. An attacker could steal sensitive information about IT assets, disrupt IT operations by manipulating asset records, and compromise other systems through lateral movement after gaining code execution. While the specific number of affected organizations is unknown, any organization using Snipe-IT is potentially at risk. Successful code execution could lead to complete system compromise and data loss.

Recommendation

• Deploy the Sigma rule “Detect Suspicious Snipe-IT URL Parameters” to identify potential XSS attempts targeting Snipe-IT via HTTP GET requests.
• Deploy the Sigma rule “Detect Suspicious Snipe-IT POST Requests” to identify potential XSS attempts targeting Snipe-IT via HTTP POST requests.
• Thoroughly review Snipe-IT application logs for suspicious activity indicative of exploitation attempts.