Corero SecureWatch Managed Services Multiple Broken Access Control

Corero SecureWatch Managed Services does not correctly check swa-monitor and cns-monitor user’s privileges, allowing a user to perform actions not belonging to his role.

Product Description (from vendor)

“SecureWatch Managed Services are a comprehensive suite of configuration optimization, monitoring and mitigation response services. This round-the-clock service, delivered by Corero’s highly experienced Security Operations Center, is tailored to meet the security policy requirements and business goals of each SmartWall customer that engages in a SecureWatch managed service plan.” More information is available at


Root Cause Analysis

Users with specific roles can perform privileged operations outside of the scope of their role.

Users with the “swa-monitor” role can interact with the following HTTP API endpoints on the target host:

  • “get_snapshot_list”: used to provide a list of available snapshots
  • “get_snapshot”: used to download snapshots in pkg format
  • “get_packages”: used to provide a list of installed packages and related version
  • “get_settings”: used to provide some information about the server’s network configurations
  • “settings”: used to provide information about the splunk configuration

Furthermore, a user with the “cns-monitor” role can reach the following endpoint on the target host:

  • “/system/diagnostics”: used to manage the log files.

Proof of Concept

  1. Login with user of role “swa-monitor”
  2. Get the snapshots list: https://$host:8000/it-IT/splunkd/__raw/services/get_snapshot_list
  3. Notice the reponse containing the list of available snapshots


An attacker with access to a “swa-monitor” or “cns-monitor” account can perform privileged operations and gain access to reserved information.


Upgrade Corero SecureWatch Managed Services to version 9.7.5 or later. (Note: we didn’t verify the patch.)

Disclosure Timeline

  • 01/12/2020: The vulnerability is found during an assessment for a Shielder client and reported to the vendor
  • 09/12/2020: The vendor fixes the vulnerability with the release of Corero SecureWatch Managed Services v9.7.5
  • 06/08/2021: Shielder’s advisory is made public


Giulio `linset` Casciaro from Shielder

This advisory was first published on


6 agosto 2021