CVE-2017-6971
published 2017-03-22CVE-2017-6971: AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow remote authenticated users to execute arbitrary commands in a privileged context, or launch…
PriorityP265high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
16.18%
96.5th percentile
AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow remote authenticated users to execute arbitrary commands in a privileged context, or launch a reverse shell, via vectors involving the PHP session ID and the NfSen PHP code, aka AlienVault ID ENG-104862.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alienvault | ossim | <= 5.3.6 | — |
| alienvault | unified_security_management | <= 5.3.6 | — |
| nfsen | nfsen | <= 1.3.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /ossim/nfsen/nfsen.php containing URL-encoded newline characters (%0A) in the 'customfmt' parameter, which are used to inject IPC commands such as 'run-nfdump'. ↗
- →Alert on POST body parameters containing 'run-nfdump' combined with shell metacharacters (semicolons, hash/comment characters) in the 'customfmt' field — this is the injection vector. ↗
- →A valid PHPSESSID cookie from a session that has previously submitted at least one NfSen query is required; monitor for reuse of session tokens from unexpected source IPs against /ossim/nfsen/nfsen.php. ↗
- →Monitor for outbound connections (especially on port 443) initiated by the NfSen/OSSIM process, which may indicate a successful reverse shell payload execution. ↗
- ·Exploitation requires the attacker to already possess a valid PHPSESSID from an authenticated session that has previously submitted at least one NfSen query — unauthenticated exploitation is not directly possible without a stolen session token. ↗
- ·Affected versions include NfSen 1.3.6p1, 1.3.7, and 1.3.7-1~bpo80+1_all (and likely earlier versions), as well as AlienVault USM/OSSIM 5.3.4. CVE-2017-6971 is distinct from the related privilege-dropping issue tracked as CVE-2017-6972. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-984w-gcj2-gr36: AlienVault USM and OSSIM before 5
ghsa_unreviewed·2022-05-13·CVSS 8.4
CVE-2017-6972 [HIGH] CWE-273 GHSA-984w-gcj2-gr36: AlienVault USM and OSSIM before 5
AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 have an error in privilege dropping and unnecessarily execute the NfSen Perl code as root, aka AlienVault ID ENG-104945, a different vulnerability than CVE-2017-6970 and CVE-2017-6971.
GHSA
GHSA-q8hc-xr26-2j5g: AlienVault USM and OSSIM before 5
ghsa_unreviewed·2022-05-13
CVE-2017-6971 [HIGH] CWE-74 GHSA-q8hc-xr26-2j5g: AlienVault USM and OSSIM before 5
AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow remote authenticated users to execute arbitrary commands in a privileged context, or launch a reverse shell, via vectors involving the PHP session ID and the NfSen PHP code, aka AlienVault ID ENG-104862.
No detection rules found.
No writeups or analysis indexed.
https://sourceforge.net/p/nfsen/news/2017/01/nfsen-138-released---security-fix/https://www.alienvault.com/forums/discussion/8325/https://www.alienvault.com/forums/discussion/8698https://www.exploit-db.com/exploits/42306/https://sourceforge.net/p/nfsen/news/2017/01/nfsen-138-released---security-fix/https://www.alienvault.com/forums/discussion/8325/https://www.alienvault.com/forums/discussion/8698https://www.exploit-db.com/exploits/42306/
2017-03-22
Published