CVE-2017-6972
📋 TL;DR
This vulnerability in AlienVault USM/OSSIM and NfSen allows attackers to execute arbitrary code with root privileges due to improper privilege dropping. The NfSen Perl code unnecessarily runs as root, enabling complete system compromise. Affected users include those running vulnerable versions of these security monitoring products.
💻 Affected Systems
- AlienVault USM
- AlienVault OSSIM
- NfSen
📦 What is this software?
Nfsen by Nfsen
Ossim by Alienvault
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with root access, allowing installation of persistent backdoors, data exfiltration, and lateral movement across the network.
Likely Case
Remote code execution leading to compromise of the security monitoring system, potentially disabling security controls and providing attacker persistence.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are implemented, though the system would still be vulnerable to compromise.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB (ID 42314), making this easily weaponizable by attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: AlienVault USM/OSSIM 5.3.7+, NfSen 1.3.8+
Vendor Advisory: https://www.alienvault.com/forums/discussion/8698
Restart Required: Yes
Instructions:
1. Backup configuration and data. 2. Update to AlienVault USM/OSSIM 5.3.7 or later via the AlienVault update mechanism. 3. For NfSen, update to version 1.3.8 or later from SourceForge. 4. Restart affected services.
🔧 Temporary Workarounds
Network Segmentation
linuxIsolate affected systems from critical networks and limit inbound connections
iptables -A INPUT -p tcp --dport [NfSen_port] -s [trusted_networks] -j ACCEPT
iptables -A INPUT -p tcp --dport [NfSen_port] -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit connections to trusted sources only
- Monitor for unusual process execution or privilege escalation attempts on affected systems
🔍 How to Verify
Check if Vulnerable:
Check version: For AlienVault: cat /etc/alienvault-release. For NfSen: check nfsen.conf or installation directory for version.Check Version:
AlienVault: cat /etc/alienvault-release | grep Version; NfSen: grep version /usr/local/nfsen/etc/nfsen.confVerify Fix Applied:
Verify version is AlienVault 5.3.7+ or NfSen 1.3.8+. Check that NfSen processes are not running as root.📡 Detection & Monitoring
Log Indicators:
- Unusual Perl process execution as root
- Unexpected privilege escalation attempts
- Suspicious commands executed from NfSen context
Network Indicators:
- Unexpected outbound connections from NfSen/AlienVault systems
- Traffic to known malicious IPs from monitoring systems
SIEM Query:
process_name:"perl" AND user:"root" AND parent_process:"nfsen" OR process_name:"nfsen" AND user:"root"🔗 References
- http://www.securityfocus.com/bid/97016
- https://sourceforge.net/p/nfsen/news/2017/01/nfsen-138-released---security-fix/
- https://www.alienvault.com/forums/discussion/8698
- https://www.exploit-db.com/exploits/42314/
- http://www.securityfocus.com/bid/97016
- https://sourceforge.net/p/nfsen/news/2017/01/nfsen-138-released---security-fix/
- https://www.alienvault.com/forums/discussion/8698
- https://www.exploit-db.com/exploits/42314/
