CVE-2016-7955 – This authentication bypass vulnerability in Ali... (How to Fix)

Q: What is the severity of CVE-2016-7955?

CVE-2016-7955 has a CVSS score of 9.8 (CRITICAL). This authentication bypass vulnerability in AlienVault OSSIM and USM allows remote attackers to gain root access by sending a specially crafted HTTP User-Agent header. Attackers can execute arbitrary code, modify the application, or access sensitive information. Organizations running affected versions of AlienVault security monitoring products are vulnerable.

📋 TL;DR

This authentication bypass vulnerability in AlienVault OSSIM and USM allows remote attackers to gain root access by sending a specially crafted HTTP User-Agent header. Attackers can execute arbitrary code, modify the application, or access sensitive information. Organizations running affected versions of AlienVault security monitoring products are vulnerable.

💻 Affected Systems

Products:

AlienVault OSSIM
AlienVault USM

Versions: All versions before 5.3.1

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires that an action has been created in the system. This is a common configuration in production deployments.

📦 What is this software?

Ossim by Alienvault

View all CVEs affecting Ossim →

Unified Security Management by Alienvault

View all CVEs affecting Unified Security Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains root shell access on the AlienVault system, allowing complete compromise of the security monitoring infrastructure, data exfiltration, and lateral movement to other systems.

🟠

Likely Case

Attackers bypass authentication to access sensitive security data, modify alert configurations, or deploy malware on the monitoring system.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the AlienVault system itself, though this still represents a critical security monitoring failure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending HTTP requests with specific User-Agent header. Multiple public advisories and proof-of-concepts exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.3.1

Vendor Advisory: https://www.alienvault.com/forums/discussion/7765/alienvault-v5-3-1-hotfix

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Apply AlienVault 5.3.1 hotfix or upgrade to version 5.3.1. 3. Restart AlienVault services. 4. Verify fix by checking version and testing authentication.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to AlienVault web interface to trusted IP addresses only

iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Web Server Header Filtering

linux

Configure web server to reject requests with 'AV Report Scheduler' in User-Agent header

Add to Apache config: SetEnvIf User-Agent "AV Report Scheduler" bad_agent
Order allow,deny
Allow from all
Deny from env=bad_agent

🧯 If You Can't Patch

Isolate AlienVault system on separate VLAN with strict firewall rules
Implement web application firewall (WAF) to block malicious User-Agent headers

🔍 How to Verify

Check if Vulnerable:

Check if version is below 5.3.1: cat /etc/ossim/ossim_setup.conf | grep version

Check Version:

cat /etc/ossim/ossim_setup.conf | grep version

Verify Fix Applied:

Verify version is 5.3.1 or higher and test authentication bypass with known exploit payload

📡 Detection & Monitoring

Log Indicators:

HTTP requests with 'AV Report Scheduler' in User-Agent header
Unauthenticated access to privileged endpoints
Unusual process execution as root user

Network Indicators:

HTTP traffic to AlienVault web interface with suspicious User-Agent headers
Unexpected outbound connections from AlienVault system

SIEM Query:

source="alienvault" AND (user_agent="*AV Report Scheduler*" OR action="authentication_bypass")

📊 Metadata

CVE ID: CVE-2016-7955

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-264

Published: March 15, 2017

Last Updated: April 20, 2025

🔗 References

http://www.securityfocus.com/archive/1/540224/100/0/threaded
http://www.zerodayinitiative.com/advisories/ZDI-16-517/ Third Party Advisory,VDB Entry
https://www.alienvault.com/forums/discussion/7765/alienvault-v5-3-1-hotfix Vendor Advisory
http://www.securityfocus.com/archive/1/540224/100/0/threaded
http://www.zerodayinitiative.com/advisories/ZDI-16-517/ Third Party Advisory,VDB Entry
https://www.alienvault.com/forums/discussion/7765/alienvault-v5-3-1-hotfix Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-7955, you might also want to check these: