cbcvebase.
CVE-2016-8582
published 2016-10-28

CVE-2016-8582: A vulnerability exists in gauge.php of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to execute an arbitrary SQL query and retrieve database…

PriorityP273critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
57.43%
99.0th percentile
A vulnerability exists in gauge.php of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to execute an arbitrary SQL query and retrieve database information or read local system files via MySQL's LOAD_FILE.

Affected

2 ranges
VendorProductVersion rangeFixed in
alienvaultopen_source_security_information_and_event_management<= 5.3.1
alienvaultunified_security_management<= 5.3.1

Detection & IOCsextracted from sources · hover to see the quote

path/ossim/dashboard/sections/widgets/data/gauge.php
url/ossim/dashboard/sections/widgets/data/gauge.php?&type=alarm&wtype=blah&asset=1&height=1&value=a%3A1%3A%7Bs%3A4%3A%22type%22%3Bs%3A67%3A%22pass+from+users+INTO+OUTFILE+%27%2Ftmp%2F10.0.0.123_pass_tshark.pcap%27--+-%22%3B%7D
path/tmp/10.0.0.123_pass_tshark.pcap
  • Detect HTTP requests to gauge.php containing a serialized PHP array in the 'value' parameter — the payload encodes a SQL query in the 'type' field of the serialized object (e.g. 'a:1:{s:4:"type";s:...').
  • Alert on HTTP requests to gauge.php whose 'value' parameter contains URL-encoded INTO OUTFILE or LOAD_FILE SQL keywords, indicating blind SQLi or file-read exploitation.
  • Monitor for sequential access pattern: POST/GET to gauge.php followed by a GET to /ossim/pcap/download.php — this two-step pattern is used to exfiltrate SQL query output written to a file.
  • The Metasploit module chains this SQLi (CVE-2016-8582) with object injection and IP spoofing to leak an admin session token, then creates a rogue action/policy and triggers it via an SSH login with invalid credentials to achieve RCE as root. Detect anomalous SSH login attempts to the AlienVault sensor following web requests to gauge.php.
  • ·Exploitation of the SQLi in gauge.php requires authentication in the standalone CVE-2016-8582 scenario; however, the Metasploit module bypasses authentication by chaining an authentication bypass vulnerability, making the SQLi reachable unauthenticated.
  • ·The SQL injection result is not reflected in the HTTP response; detection based solely on response content inspection will miss this vulnerability — out-of-band (INTO OUTFILE + download.php retrieval) or time-based blind detection is required.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.