cbcvebase.
CVE-2014-5210
published 2014-08-21

CVE-2014-5210: The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2)…

PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
14.92%
96.3th percentile
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.

Affected

29 ranges· showing 25
VendorProductVersion rangeFixed in
alienvaultopen_source_security_information_management<= 4.6.1
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management
alienvaultopen_source_security_information_management

Detection & IOCsextracted from sources · hover to see the quote

port40007
url/av-centerd
path/usr/share/alienvault-center/lib/AV/CC/Util.pm
command|perl -MMIME::Base64 -e 'system(decode_base64("..."));'
commandiptables --flush
otherSOAPAction: "AV/CC/Util#get_license"
otherxmlns: AV/CC/Util
  • Detect SOAP POST requests to /av-centerd on TCP port 40007 over SSL containing SOAPAction header value 'AV/CC/Util#get_license' or 'AV/CC/Util#remote_task' — these are the two exploited methods.
  • Alert on SOAP request bodies containing pipe-prefixed shell injection strings in the c-gensym13 parameter (license_type field), e.g. values beginning with '|perl' or other shell metacharacters.
  • Monitor for execution of 'iptables --flush' spawned from the av-centerd process, which is used by the exploit to disable the host firewall before delivering the payload.
  • Check for OSSIM versions below 4.7.0 by inspecting the SOAPServer response header and body for 'alienvault-center' package version strings less than 4.7.0.
  • The exploit fingerprints the target using the 'get_dpkg' SOAP method and checks for 'SOAP::Lite' in the SOAPServer response header; alert on unauthenticated get_dpkg calls to /av-centerd.
  • The vulnerable code path passes the unsanitized $license_type parameter directly into a system() call via curl command string; monitor for curl child processes spawned by av-centerd with unexpected arguments.
  • ·The exploit requires SSL (HTTPS) to communicate with the av-centerd SOAP service; plain-text HTTP inspection will not capture the attack payload without SSL decryption.
  • ·The exploit targets AlienVault OSSIM versions strictly below 4.7.0; versions 4.7.0 and above are not affected and will return CheckCode::Safe.
  • ·The payload is Base64-encoded before being injected into the license_type parameter; detection rules must account for Base64-obfuscated shell commands within the SOAP body.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.