CVE-2016-8580
📋 TL;DR
This CVE describes PHP object injection vulnerabilities in AlienVault OSSIM and USM that allow attackers to execute arbitrary PHP code via magic methods in included classes. The vulnerability affects all systems running affected versions of AlienVault security products, potentially giving attackers complete control over the security monitoring platform.
💻 Affected Systems
- AlienVault OSSIM
- AlienVault USM
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the AlienVault system leading to full administrative access, data exfiltration, and use as a pivot point to attack other network assets.
Likely Case
Remote code execution leading to installation of backdoors, credential theft, and disruption of security monitoring capabilities.
If Mitigated
Limited impact if proper network segmentation and access controls prevent exploitation attempts.
🎯 Exploit Status
Public exploit code is available on Exploit-DB (ID: 40682). The vulnerability can be exploited without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.3.2
Vendor Advisory: https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download AlienVault 5.3.2 from official sources. 3. Follow AlienVault upgrade documentation for your deployment type. 4. Restart all AlienVault services after upgrade.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict access to AlienVault web interface to trusted IP addresses only
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate AlienVault systems from untrusted networks
- Deploy web application firewall (WAF) rules to block PHP object injection attempts
🔍 How to Verify
Check if Vulnerable:
Check AlienVault version via web interface or command line. Versions below 5.3.2 are vulnerable.Check Version:
cat /etc/ossim/ossim_server | grep 'version'Verify Fix Applied:
Verify version is 5.3.2 or higher using 'cat /etc/ossim/ossim_server' or web interface version check.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to widget files
- PHP error logs showing unserialize() warnings
- Web server logs with suspicious parameter values
Network Indicators:
- HTTP requests containing serialized PHP objects in parameters
- Traffic to AlienVault web interface from unexpected sources
SIEM Query:
source="alienvault" AND (uri="*widget*" OR params="*O:*") AND status=200🔗 References
- http://www.securityfocus.com/bid/93864
- https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities
- https://www.exploit-db.com/exploits/40682/
- http://www.securityfocus.com/bid/93864
- https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities
- https://www.exploit-db.com/exploits/40682/
