CVE-2018-1000042
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary operating system commands on Security Onion's Squert web application. Attackers can exploit this by sending specially crafted web requests to the callback.php file. Organizations running Squert versions 1.3.0 through 1.6.7 are affected.
💻 Affected Systems
- Security Onion Squert
📦 What is this software?
Squert by Securityonion
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with web server privileges, potentially leading to data theft, lateral movement, or complete system takeover.
Likely Case
Attackers gain command execution on the Squert server, enabling them to access security monitoring data, modify alerts, or pivot to other systems.
If Mitigated
If properly segmented and monitored, impact limited to the Squert application with no lateral movement to critical systems.
🎯 Exploit Status
Exploitation requires sending HTTP requests to the vulnerable endpoint with malicious payloads in data or obj parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.0
Vendor Advisory: http://blog.securityonion.net/2018/01/security-advisory-for-squert.html
Restart Required: Yes
Instructions:
1. Backup current Squert configuration and data. 2. Update Security Onion to latest version. 3. Specifically update Squert to version 1.7.0 or later. 4. Restart Squert service. 5. Verify update completed successfully.
🔧 Temporary Workarounds
Block callback.php access
linuxTemporarily block access to the vulnerable endpoint using web server configuration or firewall rules.
# For Apache: add to .htaccess or virtual host config
<Files "callback.php">
Order allow,deny
Deny from all
</Files>
# For Nginx: add to server block
location ~ /\.inc/callback\.php$ {
deny all;
return 403;
}
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Squert from critical systems.
- Deploy web application firewall (WAF) rules to block OS command injection patterns targeting callback.php.
🔍 How to Verify
Check if Vulnerable:
Check Squert version: grep -r 'SQUERT_VERSION' /opt/squert/ or check web interface footer. If version is between 1.3.0 and 1.6.7 inclusive, system is vulnerable.Check Version:
grep -r 'SQUERT_VERSION' /opt/squert/ 2>/dev/null || echo "Check web interface footer for version"Verify Fix Applied:
Verify Squert version is 1.7.0 or later and test that callback.php endpoint properly sanitizes input parameters.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /inc/callback.php with suspicious parameters
- Web server logs showing command injection patterns in data or obj parameters
- System logs showing unexpected process execution from web server user
Network Indicators:
- HTTP requests to callback.php containing shell metacharacters or command sequences
- Outbound connections from Squert server to unexpected destinations
SIEM Query:
source="web_access.log" AND uri="/inc/callback.php" AND (data="*;*" OR data="*|*" OR data="*`*" OR obj="*;*" OR obj="*|*" OR obj="*`*")