cbcvebase.
CVE-2014-3805
published 2014-06-13

CVE-2014-3805: The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) get_license, (2)…

PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
13.07%
95.9th percentile
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) get_license, (2) get_log_line, or (3) update_system/upgrade_pro_web request, a different vulnerability than CVE-2014-3804.

Affected

29 ranges· showing 25
VendorProductVersion rangeFixed in
alienvaultopen_source_security_information_management<= 4.6.1
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management

Detection & IOCsextracted from sources · hover to see the quote

url/av-centerd
port40007
path/usr/share/alienvault-center/lib/AV/CC/Util.pm
commandget_log_line('All', '423d7bea-cfbc-f7ea-fe52-272ff7ede3d2' ,'172.26.22.1', 'test', '/var/log/auth.log', '1;id;')
command1;perl -MMIME::Base64 -e 'system(decode_base64("<base64_payload>"))'
otherSOAPAction: "AV/CC/Util#get_log_line"
otherxmlns: AV/CC/Util
  • Detect SOAP POST requests to /av-centerd on port 40007 containing the get_log_line, get_license, or update_system/upgrade_pro_web method with shell metacharacters (e.g., semicolons) in parameters, indicating command injection attempts.
  • Alert on SOAP requests where the SOAPAction header contains 'AV/CC/Util#get_log_line' targeting /av-centerd over HTTPS on port 40007.
  • Check for the SOAPServer response header value matching 'SOAP::Lite' on /av-centerd as a fingerprint of the vulnerable service during reconnaissance.
  • Successful exploitation produces root-level command output; monitor process trees for 'tail' spawning unexpected child processes (e.g., perl, id, netcat) as children of the av-centerd daemon.
  • Flag SOAP requests to /av-centerd using the get_dpkg method, which is used by the Metasploit module to fingerprint vulnerable AlienVault OSSIM versions prior to 4.7.0.
  • ·The vulnerability exists only in AlienVault OSSIM versions before 4.7.0; the Metasploit check returns Safe for version >= 4.7.0.
  • ·The av-centerd SOAP service listens on port 40007 over SSL/TLS (HTTPS); detection rules must account for encrypted traffic and may require SSL inspection or endpoint-based detection.
  • ·The $r_file path-traversal check (/../) and path prefix checks (/var/log/, /var/ossec/) are bypassable via shell injection within an otherwise valid path, so path-only filtering is insufficient for detection.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.