AlienVault OSSIM, USM platform vulnerabilities exposed

After five months, AlienVault has promised a patch for XSS, SQLi, and command execution vulnerabilities. [UPDATED]

Kaspersky Labs

A security researcher has revealed the existence of multiple vulnerabilities within AlienVault's OSSIM and USM platforms.

Last week, security researcher Peter Lapp posted an analysis of multiple vulnerabilities within AlienVault's OSSIM and USM systems, exploitable by simply uploading a customised NBE file.

AlienVault's OSSIM platform is a security information and event management (SEIM) system used by over 195,000 security professionals worldwide. The open-source platform brings together event collection, normalization and correlation with security controls. AlienVault's Unified Security Management (USM) platform is another all-in-one service designed for SMBs and mid-market companies which require security monitoring, security event management and threat intelligence.

Detailed on Full Disclosure, the security flaw is found within the vulnerability management section of the UI, which allows users to upload a Nessus vulnerability scan -- in an NBE format -- to the system. If this NBE file is specially crafted, users can exploit multiple vulnerabilities and conduct XSS, SQLi, and command execution attacks.

Authentication is required to exploit the vulnerability, but admin privileges are not required -- therefore any user with access to the vulnerability management system can exploit the flaw.

As noted by Lapp, the hostname/IP portion of the NBE import is vulnerable, and by modifiyng code directly after the hostname, javascript can be reflected back when an import finishes. In addition, the plugin ID portion of the NBE is vulnerable, and adding script to the plugin ID in the NBE file will "will result in the script being executed every time someone views the HTML report in the OSSIM interface," according to the researcher. The plugin ID is also vulnerable to blind SQLi.

SQL injections are also an issue, and code can be modified in order to include the hash of the admin password to be included in the NBE report. Finally, Lapp says the hostname/IP sector of the NBE is vulnerable to command injection exploits.

Lapp says the security flaw has been tested on versions 4.14, 4.15 and 5.0, although it "likely affects" all previous versions.

Lapp originally notified AlienVault of the problem in January this year. On the same day, 12 January, the vendor confirmed the security issue was genuine and filed the detect.

Several weeks later, the researcher requested an update and was told the issue would be worked on "in the future." On April 20, the problem had not been patched, and Lapp informed AlienVault of his intention to publish his findings. Lapp did not receive a response.

However, shortly after revealing the flaw, the security researcher says he received an email from the security firm saying a fix is "imminent" and will be released this week in version 5.0.2.

While the patch is yet to be issued, Lapp says:

"It is possible to restrict access to the vulnerabilities page via user roles, which should prevent a user from exploiting this. Also, if you're not using the import feature, you could rename the Perl script on the file system that runs the import."

Last month, Hewlett-Packard announced it would begin integrating threat data from AlienVault's Open Threat Exchange (OTX) within the HP Threat Central cloud-based intelligence serving platform. The exchange will also send HP data to AlienVault, and the tech giant's threat intelligence will eventually be integrated within OTX.

UPDATE: AlienVault has patched the flaw and a fix is available here.

Read on: In the world of security