cbcvebase.
CVE-2014-3804
published 2014-06-13

CVE-2014-3804: The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1)…

PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
72.38%
99.4th percentile
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) update_system_info_debian_package, (2) ossec_task, (3) set_ossim_setup admin_ip, (4) sync_rserver, or (5) set_ossim_setup framework_ip request, a different vulnerability than CVE-2014-3805.

Affected

29 ranges· showing 25
VendorProductVersion rangeFixed in
alienvaultopen_source_security_information_management<= 4.6.1
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management

Detection & IOCsextracted from sources · hover to see the quote

port40007
path/av-centerd
path/usr/share/alienvault-center/lib/AV/CC/Util.pm
otherSOAPAction: "AV/CC/Util#sync_rserver"
otherSOAPAction: "AV/CC/Util#update_system_info_debian_package"
  • Detect exploitation attempts by monitoring for HTTPS POST requests to /av-centerd on port 40007 with a SOAPAction header containing 'AV/CC/Util#sync_rserver' and a uuid parameter value containing shell metacharacters (e.g., '&', '|', ';', backtick) not covered by the blacklist.
  • Detect exploitation of update_system_info_debian_package by monitoring POST requests to /av-centerd on port 40007 with SOAPAction 'AV/CC/Util#update_system_info_debian_package' containing perl backtick or shell injection patterns in SOAP body parameters.
  • Alert on SOAP requests to /av-centerd where the uuid or package parameter field contains '& ' followed by arbitrary commands, matching the injection pattern used in the sync_rserver exploit.
  • Monitor for the SOAP server response header 'SOAPServer: SOAP::Lite' on port 40007 combined with 'alienvault-center' version strings below 4.7.0 to identify vulnerable targets.
  • The incomplete blacklist in sync_rserver only blocks [;`\$\\|] — alert on uuid values containing '&', '<', '>', '(', ')', newline, or other shell metacharacters not in this set.
  • ·The exploit uses SSL (HTTPS) on port 40007 by default; detection rules must account for TLS-encrypted traffic and may require SSL inspection to inspect SOAP body content.
  • ·CVE-2014-3804 (sync_rserver / Util.pm) is a distinct vulnerability from CVE-2014-3805 (get_license, get_log_line, update_system/upgrade_pro_web); detection signatures should not conflate the two.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.