cbcvebase.
CVE-2017-6971
published 2017-03-22

CVE-2017-6971: AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow remote authenticated users to execute arbitrary commands in a privileged context, or launch…

PriorityP265high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
16.18%
96.5th percentile
AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow remote authenticated users to execute arbitrary commands in a privileged context, or launch a reverse shell, via vectors involving the PHP session ID and the NfSen PHP code, aka AlienVault ID ENG-104862.

Affected

3 ranges
VendorProductVersion rangeFixed in
alienvaultossim<= 5.3.6
alienvaultunified_security_management<= 5.3.6
nfsennfsen<= 1.3.7

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://<target>/ossim/nfsen/nfsen.php
path/ossim/nfsen/nfsen.php
commandprocess=Process&output=custom+...&customfmt=%0A.%0Arun-nfdump%0Aargs=-h; <cmd> #
  • Detect POST requests to /ossim/nfsen/nfsen.php containing URL-encoded newline characters (%0A) in the 'customfmt' parameter, which are used to inject IPC commands such as 'run-nfdump'.
  • Alert on POST body parameters containing 'run-nfdump' combined with shell metacharacters (semicolons, hash/comment characters) in the 'customfmt' field — this is the injection vector.
  • A valid PHPSESSID cookie from a session that has previously submitted at least one NfSen query is required; monitor for reuse of session tokens from unexpected source IPs against /ossim/nfsen/nfsen.php.
  • Monitor for outbound connections (especially on port 443) initiated by the NfSen/OSSIM process, which may indicate a successful reverse shell payload execution.
  • ·Exploitation requires the attacker to already possess a valid PHPSESSID from an authenticated session that has previously submitted at least one NfSen query — unauthenticated exploitation is not directly possible without a stolen session token.
  • ·Affected versions include NfSen 1.3.6p1, 1.3.7, and 1.3.7-1~bpo80+1_all (and likely earlier versions), as well as AlienVault USM/OSSIM 5.3.4. CVE-2017-6971 is distinct from the related privilege-dropping issue tracked as CVE-2017-6972.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.