CVE-2014-5210
published 2014-08-21CVE-2014-5210: The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2)…
PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
14.92%
96.3th percentile
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.
Affected
29 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alienvault | open_source_security_information_management | <= 4.6.1 | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SOAP POST requests to /av-centerd on TCP port 40007 over SSL containing SOAPAction header value 'AV/CC/Util#get_license' or 'AV/CC/Util#remote_task' — these are the two exploited methods. ↗
- →Alert on SOAP request bodies containing pipe-prefixed shell injection strings in the c-gensym13 parameter (license_type field), e.g. values beginning with '|perl' or other shell metacharacters. ↗
- →Monitor for execution of 'iptables --flush' spawned from the av-centerd process, which is used by the exploit to disable the host firewall before delivering the payload. ↗
- →Check for OSSIM versions below 4.7.0 by inspecting the SOAPServer response header and body for 'alienvault-center' package version strings less than 4.7.0. ↗
- →The exploit fingerprints the target using the 'get_dpkg' SOAP method and checks for 'SOAP::Lite' in the SOAPServer response header; alert on unauthenticated get_dpkg calls to /av-centerd. ↗
- →The vulnerable code path passes the unsanitized $license_type parameter directly into a system() call via curl command string; monitor for curl child processes spawned by av-centerd with unexpected arguments. ↗
- ·The exploit requires SSL (HTTPS) to communicate with the av-centerd SOAP service; plain-text HTTP inspection will not capture the attack payload without SSL decryption. ↗
- ·The exploit targets AlienVault OSSIM versions strictly below 4.7.0; versions 4.7.0 and above are not affected and will return CheckCode::Safe. ↗
- ·The payload is Base64-encoded before being injected into the license_type parameter; detection rules must account for Base64-obfuscated shell commands within the SOAP body. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://forums.alienvault.com/discussion/2690http://www.securityfocus.com/bid/69239http://www.zerodayinitiative.com/advisories/ZDI-14-294/http://www.zerodayinitiative.com/advisories/ZDI-14-295/http://forums.alienvault.com/discussion/2690http://www.securityfocus.com/bid/69239http://www.zerodayinitiative.com/advisories/ZDI-14-294/http://www.zerodayinitiative.com/advisories/ZDI-14-295/
2014-08-21
Published